Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rsa2elk/cisco_nexus] Upgrade to ECS 8.0.0 #2581

Merged
merged 3 commits into from Jan 26, 2022
Merged

[rsa2elk/cisco_nexus] Upgrade to ECS 8.0.0 #2581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
788f7b2
rsa2elk package: Upgrade ECS to 8.0.0
adriansr Jan 25, 2022
41f045c
Fix tag indent
adriansr Jan 25, 2022
824e995
Re-generate sample_event.json
adriansr Jan 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/cisco_nexus/_dev/build/build.yml
View file
Open in desktop
@@ -1,3 +1,3 @@
dependencies:
ecs:
reference: git@1.12
reference: git@8.0
5 changes: 5 additions & 0 deletions packages/cisco_nexus/changelog.yml
View file
Open in desktop
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.4.0"
changes:
- description: Update to ECS 8.0.0
type: enhancement
link: https://github.com/elastic/integrations/pull/2581
- version: "0.3.1"
changes:
- description: Regenerate test files using the new GeoIP database
Expand Down
10 changes: 5 additions & 5 deletions packages/cisco_nexus/data_stream/log/_dev/test/pipeline/test-nexus.log-expected.json
View file
Open in desktop
@@ -1,13 +1,13 @@
{
"expected": [
{
"message": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login",
"event": {
"ingested": "2021-12-14T14:40:31.302635869Z"
},
"ecs": {
"version": "1.12.0"
"version": "8.0.0"
},
"event": {
"ingested": "2022-01-25T12:08:51.152643821Z"
},
"message": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login",
"tags": [
"preserve_original_event"
]
Expand Down
19 changes: 9 additions & 10 deletions packages/cisco_nexus/data_stream/log/agent/stream/stream.yml.hbs
View file
Open in desktop
Expand Up @@ -19,7 +19,6 @@ fields:
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}

processors:
{{#if processors}}
{{processors}}
Expand Down Expand Up @@ -830,7 +829,7 @@ processors:
if (value != null && (result = fn(value))!== undefined) {
evt.Put(FIELDS_PREFIX + dst, result);
} else {
console.error(fn.name + " failed for '" + value + "'");
console.debug(fn.name + " failed for '" + value + "'");
}
};
}
Expand Down Expand Up @@ -1042,8 +1041,8 @@ processors:
"child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
"city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
"city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
"devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
"devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
Expand Down Expand Up @@ -1101,11 +1100,11 @@ processors:
"macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
"messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
"method": {to:[{field: "http.request.method", setter: fld_set}]},
"msg": {to:[{field: "log.original", setter: fld_set}]},
"msg": {to:[{field: "message", setter: fld_set}]},
"orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
"owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
"packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
"parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
"parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
"parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
"parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
"patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
Expand All @@ -1115,16 +1114,16 @@ processors:
"port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
"process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
"process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
"process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
"process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
"process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
"product": {to:[{field: "observer.product", setter: fld_set}]},
"protocol": {to:[{field: "network.protocol", setter: fld_set}]},
"query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
"rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
"referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
"rulename": {to:[{field: "rule.name", setter: fld_set}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
"sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
"service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
Expand Down Expand Up @@ -2557,8 +2556,8 @@ processors:
builder.Add(save_flags);
builder.Add(strip_syslog_priority);
builder.Add(chain1);
builder.Add(populate_fields);
builder.Add(restore_flags);
builder.Add(populate_fields);
var chain = builder.Build();
return {
process: chain.Run,
Expand Down
19 changes: 9 additions & 10 deletions packages/cisco_nexus/data_stream/log/agent/stream/tcp.yml.hbs
View file
Open in desktop
Expand Up @@ -16,7 +16,6 @@ fields:
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}

processors:
{{#if processors}}
{{processors}}
Expand Down Expand Up @@ -827,7 +826,7 @@ processors:
if (value != null && (result = fn(value))!== undefined) {
evt.Put(FIELDS_PREFIX + dst, result);
} else {
console.error(fn.name + " failed for '" + value + "'");
console.debug(fn.name + " failed for '" + value + "'");
}
};
}
Expand Down Expand Up @@ -1039,8 +1038,8 @@ processors:
"child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
"city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
"city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
"devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
"devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
Expand Down Expand Up @@ -1098,11 +1097,11 @@ processors:
"macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
"messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
"method": {to:[{field: "http.request.method", setter: fld_set}]},
"msg": {to:[{field: "log.original", setter: fld_set}]},
"msg": {to:[{field: "message", setter: fld_set}]},
"orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
"owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
"packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
"parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
"parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
"parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
"parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
"patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
Expand All @@ -1112,16 +1111,16 @@ processors:
"port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
"process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
"process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
"process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
"process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
"process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
"product": {to:[{field: "observer.product", setter: fld_set}]},
"protocol": {to:[{field: "network.protocol", setter: fld_set}]},
"query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
"rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
"referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
"rulename": {to:[{field: "rule.name", setter: fld_set}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
"sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
"service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
Expand Down Expand Up @@ -2554,8 +2553,8 @@ processors:
builder.Add(save_flags);
builder.Add(strip_syslog_priority);
builder.Add(chain1);
builder.Add(populate_fields);
builder.Add(restore_flags);
builder.Add(populate_fields);
var chain = builder.Build();
return {
process: chain.Run,
Expand Down
19 changes: 9 additions & 10 deletions packages/cisco_nexus/data_stream/log/agent/stream/udp.yml.hbs
View file
Open in desktop
Expand Up @@ -16,7 +16,6 @@ fields:
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}

processors:
{{#if processors}}
{{processors}}
Expand Down Expand Up @@ -827,7 +826,7 @@ processors:
if (value != null && (result = fn(value))!== undefined) {
evt.Put(FIELDS_PREFIX + dst, result);
} else {
console.error(fn.name + " failed for '" + value + "'");
console.debug(fn.name + " failed for '" + value + "'");
}
};
}
Expand Down Expand Up @@ -1039,8 +1038,8 @@ processors:
"child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
"city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
"city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
"devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
"devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
Expand Down Expand Up @@ -1098,11 +1097,11 @@ processors:
"macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
"messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
"method": {to:[{field: "http.request.method", setter: fld_set}]},
"msg": {to:[{field: "log.original", setter: fld_set}]},
"msg": {to:[{field: "message", setter: fld_set}]},
"orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
"owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
"packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
"parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
"parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]},
"parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
"parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
"patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
Expand All @@ -1112,16 +1111,16 @@ processors:
"port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
"process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
"process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
"process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
"process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]},
"process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
"product": {to:[{field: "observer.product", setter: fld_set}]},
"protocol": {to:[{field: "network.protocol", setter: fld_set}]},
"query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
"rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
"referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
"rulename": {to:[{field: "rule.name", setter: fld_set}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
"saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
"sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
"sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
"service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
Expand Down Expand Up @@ -2554,8 +2553,8 @@ processors:
builder.Add(save_flags);
builder.Add(strip_syslog_priority);
builder.Add(chain1);
builder.Add(populate_fields);
builder.Add(restore_flags);
builder.Add(populate_fields);
var chain = builder.Build();
return {
process: chain.Run,
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Expand Up @@ -8,7 +8,7 @@ processors:
value: '{{_ingest.timestamp}}'
- set:
field: ecs.version
value: '1.12.0'
value: '8.0.0'
# User agent
- user_agent:
field: user_agent.original
Expand Down
4 changes: 1 addition & 3 deletions packages/cisco_nexus/data_stream/log/fields/ecs.yml
View file
Open in desktop
Expand Up @@ -110,8 +110,6 @@
name: http.request.referrer
- external: ecs
name: log.level
- external: ecs
name: log.original
- external: ecs
name: log.syslog.facility.code
- external: ecs
Expand Down Expand Up @@ -153,7 +151,7 @@
- external: ecs
name: process.pid
- external: ecs
name: process.ppid
name: process.parent.pid
- external: ecs
name: process.title
- external: ecs
Expand Down
34 changes: 12 additions & 22 deletions packages/cisco_nexus/data_stream/log/sample_event.json
View file
Open in desktop
@@ -1,12 +1,11 @@
{
"@timestamp": "2021-09-07T13:09:59.758Z",
"@timestamp": "2022-01-25T12:10:52.945Z",
"agent": {
"ephemeral_id": "92f08db1-f1b7-47c0-81b7-3c65eed51350",
"hostname": "docker-fleet-agent",
"id": "02356a51-aa2b-4151-84f7-544d3b2bccf7",
"ephemeral_id": "168bb285-37c0-4f83-9ac8-fb8599371dad",
"id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.15.0"
"version": "8.0.0"
},
"data_stream": {
"dataset": "cisco_nexus.log",
Expand All @@ -17,40 +16,31 @@
"version": "1.12.0"
},
"elastic_agent": {
"id": "02356a51-aa2b-4151-84f7-544d3b2bccf7",
"id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0",
"snapshot": true,
"version": "7.15.0"
"version": "8.0.0"
},
"event": {
"agent_id_status": "verified",
"code": "pam_aaa",
"dataset": "cisco_nexus.log",
"ingested": "2021-09-07T13:10:00Z",
"original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login",
"ingested": "2022-01-25T12:10:53Z",
"original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n",
"timezone": "+00:00"
},
"host": {
"name": "docker-fleet-agent"
},
"input": {
"type": "log"
"type": "udp"
},
"log": {
"file": {
"path": "/tmp/service_logs/test-nexus.log"
},
"offset": 0
"source": {
"address": "172.30.0.4:48333"
}
},
"observer": {
"product": "Nexus",
"type": "Switches",
"vendor": "Cisco"
},
"related": {
"hosts": [
"docker-fleet-agent"
]
},
"rsa": {
"internal": {
"messageid": "pam_aaa"
Expand Down