Checkpoint Syslog Filebeat module #17682
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
P1llus
added
enhancement
in progress
|
Pinging @elastic/siem (Team:SIEM) |
P1llus
changed the title
6 tasks
… conditional statement in pipeline to make it safer
adriansr
added a commit
that referenced
this pull request
Apr 14, 2020
This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682
6 tasks
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Apr 14, 2020
This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related elastic#16907 elastic#17682 (cherry picked from commit 4f6da4f)
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Apr 14, 2020
This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related elastic#16907 elastic#17682 (cherry picked from commit 4f6da4f)
6 tasks
adriansr
added a commit
that referenced
this pull request
Apr 15, 2020
) This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682 (cherry picked from commit 4f6da4f)
adriansr
added a commit
that referenced
this pull request
Apr 15, 2020
) This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related #16907 #17682 (cherry picked from commit 4f6da4f)
P1llus
added
review
and removed
in progress
leehinman
requested changes
Apr 15, 2020
There was a problem hiding this comment.
Looking really good. I've got a couple of suggestions for increased use of ECS.
- The related.ip, related.hash & related.user fields should be populated.
- event.category, any chance we can figure out when malware & intrusion_detection could be added?
- event.type in-line comments on allowed & denied could we also use sequence number for start?
|
All changes from comments has been applied, new expected.json generated, and nosetest has been run again. |
andrewkroh
reviewed
Apr 16, 2020
Co-Authored-By: Andrew Kroh <andrew.kroh@elastic.co>
…kpoint-module Adding changes from remote branch to Changelog
|
Added updated documentation changes as per @andrewkroh comments. Documentation from CEF to checkpoint module will be done in a separate PR. |
andrewkroh
approved these changes
Apr 16, 2020
tonymeehan
reviewed
Apr 17, 2020
| { | ||
| "@timestamp": "2020-03-29T13:19:20Z", | ||
| "checkpoint.sys_message": ":\"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk", | ||
| "event.category": [ |
There was a problem hiding this comment.
Seems like the format for checkpoint.sys_message is different than the rest during errors and alerts, will add a fix for this.
The issue is because that specific field has a weird value, this is the raw event coming directly from the device:
sys_message::"The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"]
There was a problem hiding this comment.
I was commenting that it's good to see event.category as an array!
…a to ensure both correct and incorrect format is working
|
I have added a workaround for this issue, as its not in the parser itself but rather a bug on the Checkpoint side. I have updated the dataset to have at least 1 properly formatted and 1 incorrectly formatted message, to ensure the parser works for both. Re-ran nosetests afterwards. |
andrewkroh
approved these changes
Apr 20, 2020
leehinman
approved these changes
Apr 20, 2020
|
@P1llus really awesome to see this PR! |
andrewkroh
added
the
needs_backport
6 tasks
andrewkroh
added
v7.8.0
and removed
needs_backport
andrewkroh
pushed a commit
to andrewkroh/beats
that referenced
this pull request
Apr 20, 2020
This adds a CheckPoint Filebeat module. The difference between this module and the CEF checkpoint module is that this is utilizing the syslog output format instead of CEF. This syslog output format supports a much larger set of fields from Checkpoint. (cherry picked from commit afc3a49)
andrewkroh
added a commit
that referenced
this pull request
Apr 22, 2020
This adds a CheckPoint Filebeat module. The difference between this module and the CEF checkpoint module is that this is utilizing the syslog output format instead of CEF. This syslog output format supports a much larger set of fields from Checkpoint. (cherry picked from commit afc3a49) Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
|
@P1llus / @tonymeehan : This seems to not include any - module: checkpoint
access:
input:
- type: syslog
protocol.tcp:
host: "0.0.0.0:8001"
tls:
..... |
6 tasks
This was referenced Jul 1, 2020
6 tasks
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
… (elastic#17712) This PR makes some changes to CEF module's custom mappings for Check Point devices to ensure compatibility with the upcoming checkpoint module. Check Point has its custom log format, for which a new module is being prepared. The idea behind this new module as well as CEF custom mappings for Check Point (this PR), is to use ECS whenever possible and map the rest under checkpoint.* using the original field name from Check Point. In the original PR for CEF, a few mistakes had been done in field names and types. Also taking the opportunity to change some ECS mappings. Related elastic#16907 elastic#17682 (cherry picked from commit ddb92ca)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR adds checkpoint filebeat module.
The difference between this module and the CEF checkpoint module is that this is utilizing the syslog output format instead of CEF.
This output format supports a much larger set of fields from Checkpoint.
This is a collaboration work with @adriansr .
Why is it important?
Adding more supported products to the filebeat portfolio.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Closes #16041
Nosetests run successfully:
INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=checkpoint nosetests -v -s tests/system/test_xpack_modules.py