From e4cf4e16c310c64a98ac0e31735c769acd9306ee Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 28 Sep 2023 22:56:12 +0200 Subject: [PATCH] [cisco_ise] Add filestream fields --- packages/cisco_ise/changelog.yml | 5 + .../test/system/test-filestream-config.yml | 6 + .../data_stream/log/fields/agent.yml | 22 +++ .../data_stream/log/sample_event.json | 168 +++++++++--------- packages/cisco_ise/docs/README.md | 6 + packages/cisco_ise/manifest.yml | 2 +- 6 files changed, 124 insertions(+), 85 deletions(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 97b43997dd7..0e6e0ee4d02 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.17.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.16.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml index ab621b50029..3eff9ab8c41 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: preserve_duplicate_custom_fields: true paths: - '{{SERVICE_LOGS_DIR}}/*.log' +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index 98d2f9f38d5..becfd8bef82 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -175,3 +175,25 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) + diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 371d2775705..2be1030b524 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,164 +1,164 @@ { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "80f878c2-658d-44da-9195-0431c30ae456", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.10.1" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" - }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.9.1" + "version": "8.10.1" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-08-29T17:11:24Z", + "ingested": "2023-09-28T20:36:57Z", "kind": "event", - "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { + "device_id": 141, + "inode": 18736897, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -166,16 +166,16 @@ } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -184,6 +184,6 @@ "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index e8d42a655a0..04428f1e858 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -532,7 +532,13 @@ An example event for `log` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index d497f64eff6..82a304a0fc0 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: cisco_ise title: Cisco ISE -version: "1.16.0" +version: 1.17.0 description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: