diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 97b43997dd7..510c5507c17 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,11 +1,16 @@ # newer versions go on top +- version: 1.17.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.16.0 changes: - description: ECS version updated to 8.10.0. type: enhancement link: https://github.com/elastic/integrations/pull/7905 - version: 1.15.0 - changes: + changes: - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest." type: enhancement link: https://github.com/elastic/integrations/pull/7883 diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml index ab621b50029..3eff9ab8c41 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: preserve_duplicate_custom_fields: true paths: - '{{SERVICE_LOGS_DIR}}/*.log' +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index 98d2f9f38d5..828129a0f71 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -175,3 +175,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 371d2775705..894728309a3 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,164 +1,164 @@ { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.10.2" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" - }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "snapshot": false, - "version": "8.9.1" + "version": "8.10.2" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-08-29T17:11:24Z", + "ingested": "2023-10-03T09:31:56Z", "kind": "event", - "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { + "device_id": 2080, + "inode": 88860, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -166,16 +166,16 @@ } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -184,6 +184,6 @@ "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index e8d42a655a0..568b4a8a20f 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -35,166 +35,166 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.10.2" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "snapshot": false, - "version": "8.9.1" + "version": "8.10.2" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-08-29T17:11:24Z", + "ingested": "2023-10-03T09:31:56Z", "kind": "event", - "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { + "device_id": 2080, + "inode": 88860, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -202,16 +202,16 @@ An example event for `log` looks as following: } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -220,7 +220,7 @@ An example event for `log` looks as following: "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } ``` @@ -532,7 +532,13 @@ An example event for `log` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index d497f64eff6..82a304a0fc0 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: cisco_ise title: Cisco ISE -version: "1.16.0" +version: 1.17.0 description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: diff --git a/packages/cisco_nexus/changelog.yml b/packages/cisco_nexus/changelog.yml index 46bc4134aae..053ae98af1d 100644 --- a/packages/cisco_nexus/changelog.yml +++ b/packages/cisco_nexus/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.19.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 0.18.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml index d4d17ffe521..352fa272e22 100644 --- a/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*nexus*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/cisco_nexus/data_stream/log/fields/beats.yml b/packages/cisco_nexus/data_stream/log/fields/beats.yml index 2d5ae254634..43724002998 100644 --- a/packages/cisco_nexus/data_stream/log/fields/beats.yml +++ b/packages/cisco_nexus/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/cisco_nexus/data_stream/log/sample_event.json b/packages/cisco_nexus/data_stream/log/sample_event.json index 72ebfc67684..78646bccab1 100644 --- a/packages/cisco_nexus/data_stream/log/sample_event.json +++ b/packages/cisco_nexus/data_stream/log/sample_event.json @@ -1,19 +1,23 @@ { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "777b3d32-4639-4d5d-bc3e-fa5e4053d335", - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.0" + "version": "8.10.2" }, "cisco_nexus": { "log": { - "description": "last message repeated 3 time", + "description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "facility": "EARL", "priority_number": 187, + "severity": 3, + "standby": "SW2_DFC1", "switch_name": "switchname", "time": "2023-04-26T09:08:48.000Z", - "timezone": "UTC" + "timezone": "UTC", + "type": "NF_PARITY_ERROR" } }, "data_stream": { @@ -25,29 +29,44 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "snapshot": false, - "version": "8.7.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-06-15T06:21:25Z", + "ingested": "2023-10-03T09:37:59Z", "kind": "event", - "original": "\u003c187\u003eswitchname: 2023 Apr 26 09:08:48 UTC: last message repeated 3 time" + "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "severity": 3, + "type": [ + "info" + ] }, "input": { - "type": "udp" + "type": "tcp" }, "log": { + "level": "error", "source": { - "address": "192.168.251.1:37485" + "address": "192.168.0.5:48836" }, "syslog": { - "priority": 187 + "facility": { + "code": 23 + }, + "priority": 187, + "severity": { + "code": 3 + } } }, - "message": "last message repeated 3 time", + "message": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "observer": { "name": "switchname", "product": "Nexus", diff --git a/packages/cisco_nexus/docs/README.md b/packages/cisco_nexus/docs/README.md index 0119a3ec891..08a5657452b 100644 --- a/packages/cisco_nexus/docs/README.md +++ b/packages/cisco_nexus/docs/README.md @@ -46,19 +46,23 @@ An example event for `log` looks as following: { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "777b3d32-4639-4d5d-bc3e-fa5e4053d335", - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.0" + "version": "8.10.2" }, "cisco_nexus": { "log": { - "description": "last message repeated 3 time", + "description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "facility": "EARL", "priority_number": 187, + "severity": 3, + "standby": "SW2_DFC1", "switch_name": "switchname", "time": "2023-04-26T09:08:48.000Z", - "timezone": "UTC" + "timezone": "UTC", + "type": "NF_PARITY_ERROR" } }, "data_stream": { @@ -70,29 +74,44 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "snapshot": false, - "version": "8.7.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-06-15T06:21:25Z", + "ingested": "2023-10-03T09:37:59Z", "kind": "event", - "original": "\u003c187\u003eswitchname: 2023 Apr 26 09:08:48 UTC: last message repeated 3 time" + "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "severity": 3, + "type": [ + "info" + ] }, "input": { - "type": "udp" + "type": "tcp" }, "log": { + "level": "error", "source": { - "address": "192.168.251.1:37485" + "address": "192.168.0.5:48836" }, "syslog": { - "priority": 187 + "facility": { + "code": 23 + }, + "priority": 187, + "severity": { + "code": 3 + } } }, - "message": "last message repeated 3 time", + "message": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "observer": { "name": "switchname", "product": "Nexus", @@ -153,6 +172,12 @@ An example event for `log` looks as following: | event.dataset | Event dataset. | constant_keyword | | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | tags | User defined tags. | keyword | diff --git a/packages/cisco_nexus/manifest.yml b/packages/cisco_nexus/manifest.yml index eb79fc72f12..592faa1a5a4 100644 --- a/packages/cisco_nexus/manifest.yml +++ b/packages/cisco_nexus/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: cisco_nexus title: Cisco Nexus -version: "0.18.0" +version: "0.19.0" description: Collect logs from Cisco Nexus with Elastic Agent. type: integration categories: diff --git a/packages/f5_bigip/changelog.yml b/packages/f5_bigip/changelog.yml index d02184458cc..e31c9fa5efb 100644 --- a/packages/f5_bigip/changelog.yml +++ b/packages/f5_bigip/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.11.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.10.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml index 55948b52c20..45eac279bab 100644 --- a/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: preserve_duplicate_custom_fields: true paths: - '{{SERVICE_LOGS_DIR}}/*.log' +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/f5_bigip/data_stream/log/fields/agent.yml b/packages/f5_bigip/data_stream/log/fields/agent.yml index 10023a11743..1740ca457d3 100644 --- a/packages/f5_bigip/data_stream/log/fields/agent.yml +++ b/packages/f5_bigip/data_stream/log/fields/agent.yml @@ -181,3 +181,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/f5_bigip/data_stream/log/sample_event.json b/packages/f5_bigip/data_stream/log/sample_event.json index e4329a0dfb5..2f1f444470a 100644 --- a/packages/f5_bigip/data_stream/log/sample_event.json +++ b/packages/f5_bigip/data_stream/log/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "e53fc33d-3e0e-4f88-a338-d65c29e5d7de", - "hostname": "docker-fleet-agent", - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "ephemeral_id": "b2702795-ff0f-4411-b118-3905167e6def", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.10.2" }, "client": { "ip": "81.2.69.142" @@ -24,9 +23,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "snapshot": false, - "version": "7.17.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -34,9 +33,9 @@ "network" ], "dataset": "f5_bigip.log", - "ingested": "2022-10-21T06:12:02Z", + "ingested": "2023-10-03T09:46:22Z", "kind": "event", - "original": "{\"application\":\"app.app\",\"attack_type\":\"Detection Evasion\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"date_time\":\"2018-11-19 22:34:40\",\"dest_ip\":\"81.2.69.142\",\"dest_port\":\"80\",\"device_id\":\"12bdca32\",\"fragment\":\"test_Fragment\",\"geo_location\":\"US\",\"hostname\":\"hostname\",\"http_class_name\":\"/Common/abc/test\",\"ip_address_intelligence\":\"host1\",\"ip_client\":\"81.2.69.142\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"method\":\"GET\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"policy_name\":\"/Common/abc\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"request\":\"GET /admin/.\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"route_domain\":\"example.com\",\"session_id\":\"abc123abcd\",\"severity\":\"Critical\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"src_port\":\"49804\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"staged_threat_campaign_names\":\"test\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"support_id\":\"123456789\",\"telemetryEventCategory\":\"ASM\",\"tenant\":\"Common\",\"threat_campaign_names\":\"threat\",\"uri\":\"/directory/file\",\"username\":\"test User\",\"violation_rating\":\"3\",\"violations\":\"Evasion technique detected\",\"virus_name\":\"test Virus\",\"web_application_name\":\"/Common/abc\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"x_forwarded_for_header_value\":\"81.2.69.144\"}", + "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ "info" ] @@ -151,10 +150,16 @@ } }, "input": { - "type": "http_endpoint" + "type": "filestream" }, "log": { - "level": "critical" + "file": { + "device_id": 2080, + "inode": 89387, + "path": "/tmp/service_logs/log.log" + }, + "level": "critical", + "offset": 1876 }, "network": { "application": "app.app", diff --git a/packages/f5_bigip/docs/README.md b/packages/f5_bigip/docs/README.md index 19b8e62b90d..280fb916c5c 100644 --- a/packages/f5_bigip/docs/README.md +++ b/packages/f5_bigip/docs/README.md @@ -161,12 +161,11 @@ An example event for `log` looks as following: { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "e53fc33d-3e0e-4f88-a338-d65c29e5d7de", - "hostname": "docker-fleet-agent", - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "ephemeral_id": "b2702795-ff0f-4411-b118-3905167e6def", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.10.2" }, "client": { "ip": "81.2.69.142" @@ -184,9 +183,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "snapshot": false, - "version": "7.17.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -194,9 +193,9 @@ An example event for `log` looks as following: "network" ], "dataset": "f5_bigip.log", - "ingested": "2022-10-21T06:12:02Z", + "ingested": "2023-10-03T09:46:22Z", "kind": "event", - "original": "{\"application\":\"app.app\",\"attack_type\":\"Detection Evasion\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"date_time\":\"2018-11-19 22:34:40\",\"dest_ip\":\"81.2.69.142\",\"dest_port\":\"80\",\"device_id\":\"12bdca32\",\"fragment\":\"test_Fragment\",\"geo_location\":\"US\",\"hostname\":\"hostname\",\"http_class_name\":\"/Common/abc/test\",\"ip_address_intelligence\":\"host1\",\"ip_client\":\"81.2.69.142\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"method\":\"GET\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"policy_name\":\"/Common/abc\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"request\":\"GET /admin/.\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"route_domain\":\"example.com\",\"session_id\":\"abc123abcd\",\"severity\":\"Critical\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"src_port\":\"49804\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"staged_threat_campaign_names\":\"test\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"support_id\":\"123456789\",\"telemetryEventCategory\":\"ASM\",\"tenant\":\"Common\",\"threat_campaign_names\":\"threat\",\"uri\":\"/directory/file\",\"username\":\"test User\",\"violation_rating\":\"3\",\"violations\":\"Evasion technique detected\",\"virus_name\":\"test Virus\",\"web_application_name\":\"/Common/abc\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"x_forwarded_for_header_value\":\"81.2.69.144\"}", + "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ "info" ] @@ -311,10 +310,16 @@ An example event for `log` looks as following: } }, "input": { - "type": "http_endpoint" + "type": "filestream" }, "log": { - "level": "critical" + "file": { + "device_id": 2080, + "inode": 89387, + "path": "/tmp/service_logs/log.log" + }, + "level": "critical", + "offset": 1876 }, "network": { "application": "app.app", @@ -702,7 +707,13 @@ An example event for `log` looks as following: | http.response.status_code | HTTP response status code. | long | | http.version | HTTP version. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | diff --git a/packages/f5_bigip/manifest.yml b/packages/f5_bigip/manifest.yml index f254e0f6ff2..937fbb07119 100644 --- a/packages/f5_bigip/manifest.yml +++ b/packages/f5_bigip/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: f5_bigip title: F5 BIG-IP -version: "1.10.0" +version: "1.11.0" description: Collect logs from F5 BIG-IP with Elastic Agent. type: integration categories: diff --git a/packages/fortinet_fortimail/changelog.yml b/packages/fortinet_fortimail/changelog.yml index 3a0df872f10..9f6ba4e62c6 100644 --- a/packages/fortinet_fortimail/changelog.yml +++ b/packages/fortinet_fortimail/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.10.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 2.9.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml index c30d1151293..8344183897b 100644 --- a/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*fortimail*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/fortinet_fortimail/data_stream/log/fields/beats.yml b/packages/fortinet_fortimail/data_stream/log/fields/beats.yml index 80cbae91cae..02620450bd7 100644 --- a/packages/fortinet_fortimail/data_stream/log/fields/beats.yml +++ b/packages/fortinet_fortimail/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/fortinet_fortimail/data_stream/log/sample_event.json b/packages/fortinet_fortimail/data_stream/log/sample_event.json index 1bcff9a006f..595a5785772 100644 --- a/packages/fortinet_fortimail/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimail/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "d71bab02-1a42-4119-ae2a-78113cf3e0c2", - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "ephemeral_id": "6e27a1ae-39ab-4632-8e9b-d6d0b7a1e56b", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -19,9 +19,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "snapshot": false, - "version": "8.3.0" + "version": "8.10.2" }, "email": { "direction": "unknown", @@ -42,9 +42,9 @@ "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-03-16T06:09:49Z", + "ingested": "2023-10-03T09:51:39Z", "kind": "event", - "original": "\u003c187\u003edate=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", + "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" }, "fortinet_fortimail": { @@ -75,12 +75,12 @@ } }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "information", "source": { - "address": "172.23.0.5:36516" + "address": "192.168.144.4:54368" }, "syslog": { "facility": { diff --git a/packages/fortinet_fortimail/docs/README.md b/packages/fortinet_fortimail/docs/README.md index 5ff2003b121..0d279064a3c 100644 --- a/packages/fortinet_fortimail/docs/README.md +++ b/packages/fortinet_fortimail/docs/README.md @@ -56,11 +56,11 @@ An example event for `log` looks as following: { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "d71bab02-1a42-4119-ae2a-78113cf3e0c2", - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "ephemeral_id": "6e27a1ae-39ab-4632-8e9b-d6d0b7a1e56b", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -74,9 +74,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "snapshot": false, - "version": "8.3.0" + "version": "8.10.2" }, "email": { "direction": "unknown", @@ -97,9 +97,9 @@ An example event for `log` looks as following: "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-03-16T06:09:49Z", + "ingested": "2023-10-03T09:51:39Z", "kind": "event", - "original": "\u003c187\u003edate=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", + "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" }, "fortinet_fortimail": { @@ -130,12 +130,12 @@ An example event for `log` looks as following: } }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "information", "source": { - "address": "172.23.0.5:36516" + "address": "192.168.144.4:54368" }, "syslog": { "facility": { @@ -243,6 +243,12 @@ An example event for `log` looks as following: | fortinet_fortimail.log.virus | | keyword | | fortinet_fortimail.log.xfer_time | | double | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | tags | User defined tags. | keyword | diff --git a/packages/fortinet_fortimail/manifest.yml b/packages/fortinet_fortimail/manifest.yml index f3ea1e125f2..c4adb446004 100644 --- a/packages/fortinet_fortimail/manifest.yml +++ b/packages/fortinet_fortimail/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_fortimail title: Fortinet FortiMail -version: "2.9.0" +version: "2.10.0" description: Collect logs from Fortinet FortiMail instances with Elastic Agent. type: integration format_version: "3.0.0" diff --git a/packages/fortinet_fortimanager/changelog.yml b/packages/fortinet_fortimanager/changelog.yml index 85c11084997..f55882fb574 100644 --- a/packages/fortinet_fortimanager/changelog.yml +++ b/packages/fortinet_fortimanager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.8.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 2.7.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml index 3070c5c99a5..bdab5f3bba1 100644 --- a/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*fortimanager*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml b/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml index b3701b581cf..3a663ab68fb 100644 --- a/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml +++ b/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/fortinet_fortimanager/data_stream/log/sample_event.json b/packages/fortinet_fortimanager/data_stream/log/sample_event.json index 790a263a84f..5d2309eb795 100644 --- a/packages/fortinet_fortimanager/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimanager/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "99dc35a7-262c-432b-b09a-0448f5c39a96", - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "ephemeral_id": "8937d089-d80c-4225-9177-d6286824defd", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -19,19 +19,17 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "snapshot": false, - "version": "8.3.0" + "version": "8.10.2" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-02-28T07:54:06Z", - "kind": [ - "event" - ], - "original": "\u003c134\u003edate=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", + "ingested": "2023-10-03T09:57:15Z", + "kind": "event", + "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", "type": [ "info" @@ -67,11 +65,11 @@ "hostname": "Crest-Elastic-FMG-VM64" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "172.20.0.1:56706" + "address": "192.168.224.5:58676" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", diff --git a/packages/fortinet_fortimanager/docs/README.md b/packages/fortinet_fortimanager/docs/README.md index d87f4448e64..6ccfd10e99d 100644 --- a/packages/fortinet_fortimanager/docs/README.md +++ b/packages/fortinet_fortimanager/docs/README.md @@ -50,11 +50,11 @@ An example event for `log` looks as following: { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "99dc35a7-262c-432b-b09a-0448f5c39a96", - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "ephemeral_id": "8937d089-d80c-4225-9177-d6286824defd", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -68,19 +68,17 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "snapshot": false, - "version": "8.3.0" + "version": "8.10.2" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-02-28T07:54:06Z", - "kind": [ - "event" - ], - "original": "\u003c134\u003edate=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", + "ingested": "2023-10-03T09:57:15Z", + "kind": "event", + "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", "type": [ "info" @@ -116,11 +114,11 @@ An example event for `log` looks as following: "hostname": "Crest-Elastic-FMG-VM64" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "172.20.0.1:56706" + "address": "192.168.224.5:58676" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", @@ -336,7 +334,13 @@ An example event for `log` looks as following: | fortimanager.log.whitelist_size | The size of white list table. | keyword | | fortimanager.log.zip_path | The name of the gzip file being transferred to the server. | keyword | | input.type | Type of filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | diff --git a/packages/fortinet_fortimanager/manifest.yml b/packages/fortinet_fortimanager/manifest.yml index 5bf95d1b1fb..0ef43ccc530 100644 --- a/packages/fortinet_fortimanager/manifest.yml +++ b/packages/fortinet_fortimanager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: fortinet_fortimanager title: Fortinet FortiManager Logs -version: "2.7.0" +version: "2.8.0" description: Collect logs from Fortinet FortiManager instances with Elastic Agent. type: integration categories: ["security", "network", "firewall_security"] diff --git a/packages/hid_bravura_monitor/changelog.yml b/packages/hid_bravura_monitor/changelog.yml index c4b18567947..78aace8b9ac 100644 --- a/packages/hid_bravura_monitor/changelog.yml +++ b/packages/hid_bravura_monitor/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.15.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.14.0 changes: - description: Set 'partner' owner type. diff --git a/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml index 4bd67e9c0f1..66d27b8edba 100644 --- a/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -5,3 +5,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/*.log" preserve_original_event: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml b/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml index f9c19a6fedc..2e752145ee1 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml @@ -202,3 +202,24 @@ - name: log.source.address type: keyword description: Source address from which the log event was read / sent from. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/hid_bravura_monitor/data_stream/log/sample_event.json b/packages/hid_bravura_monitor/data_stream/log/sample_event.json index aba04dec8ce..8c3de324ede 100644 --- a/packages/hid_bravura_monitor/data_stream/log/sample_event.json +++ b/packages/hid_bravura_monitor/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-01-16T00:35:25.258Z", "agent": { - "ephemeral_id": "fa387b80-fca3-4488-ac1b-460792f3a8ea", - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "ephemeral_id": "35e38c15-1a71-4f27-be32-fa338af49c11", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.1.0" + "version": "8.10.2" }, "data_stream": { "dataset": "hid_bravura_monitor.log", @@ -16,14 +16,14 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "snapshot": false, - "version": "8.1.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "hid_bravura_monitor.log", - "ingested": "2022-11-22T08:13:24Z", + "ingested": "2023-10-03T10:00:58Z", "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", "timezone": "UTC" }, @@ -35,23 +35,24 @@ }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.29.0.7" + "172.23.0.7" ], "mac": [ - "02:42:ac:1d:00:07" + "02-42-AC-17-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -59,11 +60,13 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90160, "path": "/tmp/service_logs/hid_bravura_monitor.log" }, "level": "Error", "logger": "pamlws.exe", - "offset": 218 + "offset": 104 }, "message": "LWS [HID-TEST] foundcomputer record not found", "process": { diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index cff29e5d7fd..88163112ee1 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -155,11 +155,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-01-16T00:35:25.258Z", "agent": { - "ephemeral_id": "fa387b80-fca3-4488-ac1b-460792f3a8ea", - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "ephemeral_id": "35e38c15-1a71-4f27-be32-fa338af49c11", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.1.0" + "version": "8.10.2" }, "data_stream": { "dataset": "hid_bravura_monitor.log", @@ -170,14 +170,14 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "snapshot": false, - "version": "8.1.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "hid_bravura_monitor.log", - "ingested": "2022-11-22T08:13:24Z", + "ingested": "2023-10-03T10:00:58Z", "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", "timezone": "UTC" }, @@ -189,23 +189,24 @@ An example event for `log` looks as following: }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.29.0.7" + "172.23.0.7" ], "mac": [ - "02:42:ac:1d:00:07" + "02-42-AC-17-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -213,11 +214,13 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90160, "path": "/tmp/service_logs/hid_bravura_monitor.log" }, "level": "Error", "logger": "pamlws.exe", - "offset": 218 + "offset": 104 }, "message": "LWS [HID-TEST] foundcomputer record not found", "process": { @@ -349,7 +352,13 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | diff --git a/packages/hid_bravura_monitor/manifest.yml b/packages/hid_bravura_monitor/manifest.yml index c0cb77af448..36a3975e1fb 100644 --- a/packages/hid_bravura_monitor/manifest.yml +++ b/packages/hid_bravura_monitor/manifest.yml @@ -1,6 +1,6 @@ name: hid_bravura_monitor title: Bravura Monitor -version: "1.14.0" +version: "1.15.0" categories: ["security", "iam"] description: Collect logs from Bravura Security Fabric with Elastic Agent. type: integration diff --git a/packages/hid_bravura_monitor/validation.yml b/packages/hid_bravura_monitor/validation.yml index 2527f20c354..2b0dbafa239 100644 --- a/packages/hid_bravura_monitor/validation.yml +++ b/packages/hid_bravura_monitor/validation.yml @@ -1,3 +1,3 @@ errors: exclude_checks: - - SVR00002 # Mandatory filters in dashboards. + - SVR00002 # Mandatory filters in dashboards. diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index be8f2591685..1986f4366be 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.18.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.17.1 changes: - description: Remove redundant regular expression quantifier. diff --git a/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml index 2253a06d48e..2128256c0c7 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -4,3 +4,9 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/*srx*.log" +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/juniper_srx/data_stream/log/fields/agent.yml b/packages/juniper_srx/data_stream/log/fields/agent.yml index d30923aab30..004cafbe206 100644 --- a/packages/juniper_srx/data_stream/log/fields/agent.yml +++ b/packages/juniper_srx/data_stream/log/fields/agent.yml @@ -70,3 +70,24 @@ - name: log.source.address type: keyword description: Source address of the syslog message. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/juniper_srx/data_stream/log/sample_event.json b/packages/juniper_srx/data_stream/log/sample_event.json index 594ed585dfe..d147fa3292c 100644 --- a/packages/juniper_srx/data_stream/log/sample_event.json +++ b/packages/juniper_srx/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2016-02-18T01:32:50.391Z", "agent": { - "ephemeral_id": "468e3921-9867-43fa-8cc6-d8b5ccb54a25", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "ephemeral_id": "54aa3cbe-60b4-41ae-9a50-c2f871846983", + "id": "3bf92588-2ea8-4747-8efa-294ffad051db", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.10.2" }, "client": { "ip": "192.168.1.100", @@ -36,9 +36,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "id": "3bf92588-2ea8-4747-8efa-294ffad051db", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.10.2" }, "event": { "action": "web_filter", @@ -48,7 +48,7 @@ "malware" ], "dataset": "juniper_srx.log", - "ingested": "2022-01-01T23:05:23Z", + "ingested": "2023-10-03T10:08:52Z", "kind": "alert", "outcome": "success", "severity": 12, @@ -60,7 +60,7 @@ ] }, "input": { - "type": "udp" + "type": "tcp" }, "juniper": { "srx": { @@ -74,7 +74,7 @@ "log": { "level": "warning", "source": { - "address": "172.18.0.7:60328" + "address": "172.25.0.6:36430" } }, "observer": { @@ -83,6 +83,9 @@ "type": "firewall", "vendor": "Juniper" }, + "process": { + "name": "RT_UTM" + }, "related": { "hosts": [ "www.baidu.com" diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index f39f182b8d1..8b6f6eceb16 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -424,7 +424,13 @@ The following processes and tags are supported: | juniper.srx.verdict_number | verdict number | integer | | juniper.srx.verdict_source | verdict source | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Byte offset of the log line within its file. | long | diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index 0b5d7828a29..22b21a045d8 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: juniper_srx title: Juniper SRX -version: "1.17.1" +version: "1.18.0" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration diff --git a/packages/keycloak/changelog.yml b/packages/keycloak/changelog.yml index dc057ca2105..e7d06337d69 100644 --- a/packages/keycloak/changelog.yml +++ b/packages/keycloak/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.17.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.16.0 changes: - description: Set 'community' owner type. diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml index b9aae2f62f0..22170cc500e 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -8,3 +8,9 @@ data_stream: preserve_original_event: true tz_offset: -05:00 only_user_events: false +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml index 7ab124c3e81..eb587fbc368 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml @@ -8,3 +8,9 @@ data_stream: preserve_original_event: true tz_offset: "+05:00" only_user_events: false +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/keycloak/data_stream/log/fields/beats.yml b/packages/keycloak/data_stream/log/fields/beats.yml index cb44bb29442..4e189f20187 100644 --- a/packages/keycloak/data_stream/log/fields/beats.yml +++ b/packages/keycloak/data_stream/log/fields/beats.yml @@ -10,3 +10,24 @@ - name: log.file.path type: keyword description: Path to the log file. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/keycloak/data_stream/log/sample_event.json b/packages/keycloak/data_stream/log/sample_event.json index 7c4be680b8a..02c77527881 100644 --- a/packages/keycloak/data_stream/log/sample_event.json +++ b/packages/keycloak/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2021-10-22T21:01:42.667+05:00", + "@timestamp": "2021-10-22T21:01:42.667-05:00", "agent": { - "ephemeral_id": "5861dcd8-02a1-48fe-943d-45eb7fd83e5e", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.10.2" }, "data_stream": { "dataset": "keycloak.log", @@ -13,36 +13,36 @@ "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "snapshot": false, - "version": "8.8.2" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "keycloak.log", - "ingested": "2023-07-24T13:27:46Z", + "ingested": "2023-10-03T10:29:46Z", "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "+05:00" + "timezone": "-05:00" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "f61391496aaa43bb94736676494450c5", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.22.0.10" + "172.30.0.7" ], "mac": [ - "02-42-AC-16-00-0A" + "02-42-AC-1E-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -54,6 +54,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90612, "path": "/tmp/service_logs/test-log.log" }, "level": "INFO", diff --git a/packages/keycloak/docs/README.md b/packages/keycloak/docs/README.md index 44534f425a1..96c1afc1012 100644 --- a/packages/keycloak/docs/README.md +++ b/packages/keycloak/docs/README.md @@ -87,7 +87,13 @@ to your configuration XML file (ie standalone.xml) under the path below | keycloak.login.redirect_uri | Keycloak redirect URL | keyword | | keycloak.login.type | Event Type | keyword | | keycloak.realm.id | Keycloak Realm ID | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Path to the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | @@ -132,13 +138,13 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2021-10-22T21:01:42.667+05:00", + "@timestamp": "2021-10-22T21:01:42.667-05:00", "agent": { - "ephemeral_id": "5861dcd8-02a1-48fe-943d-45eb7fd83e5e", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.10.2" }, "data_stream": { "dataset": "keycloak.log", @@ -146,36 +152,36 @@ An example event for `log` looks as following: "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "snapshot": false, - "version": "8.8.2" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "keycloak.log", - "ingested": "2023-07-24T13:27:46Z", + "ingested": "2023-10-03T10:29:46Z", "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "+05:00" + "timezone": "-05:00" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "f61391496aaa43bb94736676494450c5", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.22.0.10" + "172.30.0.7" ], "mac": [ - "02-42-AC-16-00-0A" + "02-42-AC-1E-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -187,6 +193,8 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90612, "path": "/tmp/service_logs/test-log.log" }, "level": "INFO", diff --git a/packages/keycloak/manifest.yml b/packages/keycloak/manifest.yml index a2e1cba47c1..e78168e6504 100644 --- a/packages/keycloak/manifest.yml +++ b/packages/keycloak/manifest.yml @@ -1,6 +1,6 @@ name: keycloak title: Keycloak -version: "1.16.0" +version: "1.17.0" description: Collect logs from Keycloak with Elastic Agent. type: integration format_version: "3.0.0" diff --git a/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml b/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml index 0c79377b3c2..efdcd8f5cfa 100644 --- a/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml +++ b/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,8 @@ -version: '2.3' +version: '3' services: mysql-audit-logfile: image: alpine + tty: true volumes: - ./sample_logs:/sample_logs:rw - ${SERVICE_LOGS_DIR}:/var/log diff --git a/packages/mysql_enterprise/changelog.yml b/packages/mysql_enterprise/changelog.yml index 9b84052ea2a..6191937d3e3 100644 --- a/packages/mysql_enterprise/changelog.yml +++ b/packages/mysql_enterprise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.13.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.12.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml b/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml index 162b5355097..1744417cf7e 100644 --- a/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml +++ b/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/mysql_audit.log" +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/mysql_enterprise/data_stream/audit/fields/agent.yml b/packages/mysql_enterprise/data_stream/audit/fields/agent.yml index e313ec82874..de557702e49 100644 --- a/packages/mysql_enterprise/data_stream/audit/fields/agent.yml +++ b/packages/mysql_enterprise/data_stream/audit/fields/agent.yml @@ -202,3 +202,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/mysql_enterprise/data_stream/audit/sample_event.json b/packages/mysql_enterprise/data_stream/audit/sample_event.json index a0e9f5a5581..c30dfd67e91 100644 --- a/packages/mysql_enterprise/data_stream/audit/sample_event.json +++ b/packages/mysql_enterprise/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-10-19T19:21:33.000Z", "agent": { - "ephemeral_id": "40541c95-7cce-4bef-be7b-3eb82f363f0f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "9b24d1b7-d491-4e8f-b484-2f0b07a4344c", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.10.2" }, "data_stream": { "dataset": "mysql_enterprise.audit", @@ -16,9 +16,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "snapshot": false, - "version": "8.9.0" + "version": "8.10.2" }, "event": { "action": "mysql-startup", @@ -27,7 +27,7 @@ "database" ], "dataset": "mysql_enterprise.audit", - "ingested": "2023-07-31T15:48:08Z", + "ingested": "2023-10-03T10:32:19Z", "kind": "event", "outcome": "unknown", "timezone": "+00:00" @@ -36,19 +36,19 @@ "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "61993a3120a949b68ffe69a69ae82866", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "192.168.176.7" + "192.168.16.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-10-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", "full": "x86_64-Linux", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -60,6 +60,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90785, "path": "/tmp/service_logs/mysql_audit.log" }, "offset": 0 diff --git a/packages/mysql_enterprise/docs/README.md b/packages/mysql_enterprise/docs/README.md index 777b9c23e85..b4bd0c6468a 100644 --- a/packages/mysql_enterprise/docs/README.md +++ b/packages/mysql_enterprise/docs/README.md @@ -68,7 +68,13 @@ The `audit` dataset collects MySQL Enterprise Audit logs. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset | long | | message | human-readable summary of the event | text | | mysqlenterprise.audit.account.host | A string representing the client host name. | keyword | @@ -124,11 +130,11 @@ An example event for `audit` looks as following: { "@timestamp": "2020-10-19T19:21:33.000Z", "agent": { - "ephemeral_id": "40541c95-7cce-4bef-be7b-3eb82f363f0f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "9b24d1b7-d491-4e8f-b484-2f0b07a4344c", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.10.2" }, "data_stream": { "dataset": "mysql_enterprise.audit", @@ -139,9 +145,9 @@ An example event for `audit` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "snapshot": false, - "version": "8.9.0" + "version": "8.10.2" }, "event": { "action": "mysql-startup", @@ -150,7 +156,7 @@ An example event for `audit` looks as following: "database" ], "dataset": "mysql_enterprise.audit", - "ingested": "2023-07-31T15:48:08Z", + "ingested": "2023-10-03T10:32:19Z", "kind": "event", "outcome": "unknown", "timezone": "+00:00" @@ -159,19 +165,19 @@ An example event for `audit` looks as following: "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "61993a3120a949b68ffe69a69ae82866", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "192.168.176.7" + "192.168.16.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-10-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", "full": "x86_64-Linux", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -183,6 +189,8 @@ An example event for `audit` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90785, "path": "/tmp/service_logs/mysql_audit.log" }, "offset": 0 diff --git a/packages/mysql_enterprise/manifest.yml b/packages/mysql_enterprise/manifest.yml index 68ddfb2d695..7232d0ddd8a 100644 --- a/packages/mysql_enterprise/manifest.yml +++ b/packages/mysql_enterprise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: mysql_enterprise title: "MySQL Enterprise" -version: "1.12.0" +version: "1.13.0" description: Collect audit logs from MySQL Enterprise with Elastic Agent. type: integration categories: diff --git a/packages/sysmon_linux/changelog.yml b/packages/sysmon_linux/changelog.yml index de430b7ce9c..b0d43a55f90 100644 --- a/packages/sysmon_linux/changelog.yml +++ b/packages/sysmon_linux/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.5.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.4.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml index 1240532efb8..f5d98aedca8 100644 --- a/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -5,3 +5,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/*.log" preserve_original_event: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/sysmon_linux/data_stream/log/fields/beats.yml b/packages/sysmon_linux/data_stream/log/fields/beats.yml index 3c48f1f224f..f3701711269 100644 --- a/packages/sysmon_linux/data_stream/log/fields/beats.yml +++ b/packages/sysmon_linux/data_stream/log/fields/beats.yml @@ -1,3 +1,24 @@ - name: input.type type: keyword description: Type of Filebeat input. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/sysmon_linux/data_stream/log/sample_event.json b/packages/sysmon_linux/data_stream/log/sample_event.json index 9f128e052cf..d8f6b77da36 100644 --- a/packages/sysmon_linux/data_stream/log/sample_event.json +++ b/packages/sysmon_linux/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-10-24T17:05:31.000Z", + "@timestamp": "2023-10-24T17:05:31.000Z", "agent": { - "ephemeral_id": "0ccb5087-29e5-4a64-a028-e51e06c2d944", - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "ephemeral_id": "9a76eca2-a433-4b6f-a30b-bac6e6d09995", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.5.0" + "version": "8.10.2" }, "data_stream": { "dataset": "sysmon_linux.log", @@ -16,23 +16,23 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "snapshot": false, - "version": "8.5.0" + "version": "8.10.2" }, "event": { "action": "log", "agent_id_status": "verified", "dataset": "sysmon_linux.log", - "ingested": "2022-12-08T10:33:50Z", + "ingested": "2023-10-03T10:35:51Z", "kind": "event", "timezone": "+00:00" }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ "192.168.48.7" ], @@ -43,11 +43,11 @@ "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -55,6 +55,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 91045, "path": "/tmp/service_logs/sysmon.log" }, "offset": 0 diff --git a/packages/sysmon_linux/docs/README.md b/packages/sysmon_linux/docs/README.md index 2d6562ff2cb..26746072bcc 100644 --- a/packages/sysmon_linux/docs/README.md +++ b/packages/sysmon_linux/docs/README.md @@ -25,13 +25,13 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2022-10-24T17:05:31.000Z", + "@timestamp": "2023-10-24T17:05:31.000Z", "agent": { - "ephemeral_id": "0ccb5087-29e5-4a64-a028-e51e06c2d944", - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "ephemeral_id": "9a76eca2-a433-4b6f-a30b-bac6e6d09995", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.5.0" + "version": "8.10.2" }, "data_stream": { "dataset": "sysmon_linux.log", @@ -42,23 +42,23 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "snapshot": false, - "version": "8.5.0" + "version": "8.10.2" }, "event": { "action": "log", "agent_id_status": "verified", "dataset": "sysmon_linux.log", - "ingested": "2022-12-08T10:33:50Z", + "ingested": "2023-10-03T10:35:51Z", "kind": "event", "timezone": "+00:00" }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ "192.168.48.7" ], @@ -69,11 +69,11 @@ An example event for `log` looks as following: "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -81,6 +81,8 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 91045, "path": "/tmp/service_logs/sysmon.log" }, "offset": 0 @@ -195,7 +197,13 @@ An example event for `log` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | diff --git a/packages/sysmon_linux/manifest.yml b/packages/sysmon_linux/manifest.yml index aab3e0c6934..7d65bb7f993 100644 --- a/packages/sysmon_linux/manifest.yml +++ b/packages/sysmon_linux/manifest.yml @@ -1,6 +1,6 @@ name: sysmon_linux title: Sysmon for Linux -version: "1.4.0" +version: "1.5.0" description: Collect Sysmon Linux logs with Elastic Agent. type: integration categories: diff --git a/packages/sysmon_linux/validation.yml b/packages/sysmon_linux/validation.yml index 6cb775c44b6..da88d107c6d 100644 --- a/packages/sysmon_linux/validation.yml +++ b/packages/sysmon_linux/validation.yml @@ -1,3 +1,3 @@ errors: exclude_checks: - - SVR00001 # Saved query, but no filter. + - SVR00001 # Saved query, but no filter. diff --git a/packages/trendmicro/changelog.yml b/packages/trendmicro/changelog.yml index 81deb58137a..bb51b0b327e 100644 --- a/packages/trendmicro/changelog.yml +++ b/packages/trendmicro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.6.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.5.0 changes: - description: Set 'community' owner type. diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml index 04f01c2e5cd..d090f11e703 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/trendmicro.log" decode_trendmicro_timezone: UTC +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/trendmicro/data_stream/deep_security/fields/agent.yml b/packages/trendmicro/data_stream/deep_security/fields/agent.yml index 39d9ad74101..df8246bfab2 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/agent.yml +++ b/packages/trendmicro/data_stream/deep_security/fields/agent.yml @@ -187,3 +187,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/trendmicro/data_stream/deep_security/sample_event.json b/packages/trendmicro/data_stream/deep_security/sample_event.json index dc5b784a4dc..a2c0f6e2477 100644 --- a/packages/trendmicro/data_stream/deep_security/sample_event.json +++ b/packages/trendmicro/data_stream/deep_security/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-09-21T07:21:11.000Z", "agent": { - "ephemeral_id": "a2b7adf0-c789-464f-bfb2-e7b087d9959c", - "id": "b66dfb26-fbfb-425e-b205-5c4651dbee3a", + "ephemeral_id": "a938b7bf-cad0-499e-92cf-e1620b812710", + "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.6.0" + "version": "8.10.2" }, "data_stream": { "dataset": "trendmicro.deep_security", @@ -16,9 +16,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "b66dfb26-fbfb-425e-b205-5c4651dbee3a", + "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa", "snapshot": false, - "version": "8.6.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -27,7 +27,7 @@ ], "code": "5000000", "dataset": "trendmicro.deep_security", - "ingested": "2023-02-02T13:51:33Z", + "ingested": "2023-10-03T10:38:39Z", "severity": 5, "type": [ "connection", @@ -46,6 +46,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 91232, "path": "/tmp/service_logs/trendmicro.log" }, "offset": 20358, diff --git a/packages/trendmicro/docs/README.md b/packages/trendmicro/docs/README.md index 8e96d9548af..46d7d7ced41 100644 --- a/packages/trendmicro/docs/README.md +++ b/packages/trendmicro/docs/README.md @@ -101,7 +101,13 @@ Deep Security logs collect the trendmicro deep security logs. | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | diff --git a/packages/trendmicro/manifest.yml b/packages/trendmicro/manifest.yml index 981e676c706..715d4c26f81 100644 --- a/packages/trendmicro/manifest.yml +++ b/packages/trendmicro/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: trendmicro title: "Trendmicro" -version: "1.5.0" +version: "1.6.0" description: "collect Trendmicro Deep Security events with elastic agent." type: integration categories: