From e4cf4e16c310c64a98ac0e31735c769acd9306ee Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Thu, 28 Sep 2023 22:56:12 +0200 Subject: [PATCH 01/14] [cisco_ise] Add filestream fields --- packages/cisco_ise/changelog.yml | 5 + .../test/system/test-filestream-config.yml | 6 + .../data_stream/log/fields/agent.yml | 22 +++ .../data_stream/log/sample_event.json | 168 +++++++++--------- packages/cisco_ise/docs/README.md | 6 + packages/cisco_ise/manifest.yml | 2 +- 6 files changed, 124 insertions(+), 85 deletions(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 97b43997dd7c..0e6e0ee4d022 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.17.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.16.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml index ab621b50029f..3eff9ab8c41d 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: preserve_duplicate_custom_fields: true paths: - '{{SERVICE_LOGS_DIR}}/*.log' +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index 98d2f9f38d52..becfd8bef824 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -175,3 +175,25 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) + diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 371d2775705e..2be1030b524d 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,164 +1,164 @@ { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "80f878c2-658d-44da-9195-0431c30ae456", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.10.1" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" - }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.9.1" + "version": "8.10.1" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-08-29T17:11:24Z", + "ingested": "2023-09-28T20:36:57Z", "kind": "event", - "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { + "device_id": 141, + "inode": 18736897, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -166,16 +166,16 @@ } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -184,6 +184,6 @@ "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index e8d42a655a00..04428f1e8581 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -532,7 +532,13 @@ An example event for `log` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Log offset | long | diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index d497f64eff6e..82a304a0fc02 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: cisco_ise title: Cisco ISE -version: "1.16.0" +version: 1.17.0 description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: From 245b67cd327c7ec429888921680967ebde9643a5 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 10:09:49 +0200 Subject: [PATCH 02/14] [cisco_nexus] Add new filestream fields --- packages/cisco_nexus/changelog.yml | 5 ++ .../_dev/test/system/test-logfile-config.yml | 6 +++ .../data_stream/log/fields/beats.yml | 21 ++++++++ .../data_stream/log/sample_event.json | 45 +++++++++++----- packages/cisco_nexus/docs/README.md | 51 ++++++++++++++----- packages/cisco_nexus/manifest.yml | 2 +- 6 files changed, 103 insertions(+), 27 deletions(-) diff --git a/packages/cisco_nexus/changelog.yml b/packages/cisco_nexus/changelog.yml index 46bc4134aae0..053ae98af1d3 100644 --- a/packages/cisco_nexus/changelog.yml +++ b/packages/cisco_nexus/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.19.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 0.18.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml index d4d17ffe521c..352fa272e221 100644 --- a/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/cisco_nexus/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*nexus*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/cisco_nexus/data_stream/log/fields/beats.yml b/packages/cisco_nexus/data_stream/log/fields/beats.yml index 2d5ae254634d..437240029987 100644 --- a/packages/cisco_nexus/data_stream/log/fields/beats.yml +++ b/packages/cisco_nexus/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/cisco_nexus/data_stream/log/sample_event.json b/packages/cisco_nexus/data_stream/log/sample_event.json index 72ebfc676847..5f723324439f 100644 --- a/packages/cisco_nexus/data_stream/log/sample_event.json +++ b/packages/cisco_nexus/data_stream/log/sample_event.json @@ -1,19 +1,23 @@ { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "777b3d32-4639-4d5d-bc3e-fa5e4053d335", - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "ephemeral_id": "c26767a5-820b-4d00-baa4-91a2ccb68a2f", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.0" + "version": "8.10.1" }, "cisco_nexus": { "log": { - "description": "last message repeated 3 time", + "description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "facility": "EARL", "priority_number": 187, + "severity": 3, + "standby": "SW2_DFC1", "switch_name": "switchname", "time": "2023-04-26T09:08:48.000Z", - "timezone": "UTC" + "timezone": "UTC", + "type": "NF_PARITY_ERROR" } }, "data_stream": { @@ -25,29 +29,44 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.7.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-06-15T06:21:25Z", + "ingested": "2023-09-28T21:03:12Z", "kind": "event", - "original": "\u003c187\u003eswitchname: 2023 Apr 26 09:08:48 UTC: last message repeated 3 time" + "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "severity": 3, + "type": [ + "info" + ] }, "input": { - "type": "udp" + "type": "tcp" }, "log": { + "level": "error", "source": { - "address": "192.168.251.1:37485" + "address": "192.168.192.4:45126" }, "syslog": { - "priority": 187 + "facility": { + "code": 23 + }, + "priority": 187, + "severity": { + "code": 3 + } } }, - "message": "last message repeated 3 time", + "message": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "observer": { "name": "switchname", "product": "Nexus", diff --git a/packages/cisco_nexus/docs/README.md b/packages/cisco_nexus/docs/README.md index 0119a3ec8911..c12c20ff3ac4 100644 --- a/packages/cisco_nexus/docs/README.md +++ b/packages/cisco_nexus/docs/README.md @@ -46,19 +46,23 @@ An example event for `log` looks as following: { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "777b3d32-4639-4d5d-bc3e-fa5e4053d335", - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "ephemeral_id": "c26767a5-820b-4d00-baa4-91a2ccb68a2f", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.0" + "version": "8.10.1" }, "cisco_nexus": { "log": { - "description": "last message repeated 3 time", + "description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "facility": "EARL", "priority_number": 187, + "severity": 3, + "standby": "SW2_DFC1", "switch_name": "switchname", "time": "2023-04-26T09:08:48.000Z", - "timezone": "UTC" + "timezone": "UTC", + "type": "NF_PARITY_ERROR" } }, "data_stream": { @@ -70,29 +74,44 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "ae8acf2b-2fd5-4ab9-921c-e92bc69cd32c", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.7.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-06-15T06:21:25Z", + "ingested": "2023-09-28T21:03:12Z", "kind": "event", - "original": "\u003c187\u003eswitchname: 2023 Apr 26 09:08:48 UTC: last message repeated 3 time" + "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", + "severity": 3, + "type": [ + "info" + ] }, "input": { - "type": "udp" + "type": "tcp" }, "log": { + "level": "error", "source": { - "address": "192.168.251.1:37485" + "address": "192.168.192.4:45126" }, "syslog": { - "priority": 187 + "facility": { + "code": 23 + }, + "priority": 187, + "severity": { + "code": 3 + } } }, - "message": "last message repeated 3 time", + "message": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "observer": { "name": "switchname", "product": "Nexus", @@ -153,6 +172,12 @@ An example event for `log` looks as following: | event.dataset | Event dataset. | constant_keyword | | event.module | Event module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | tags | User defined tags. | keyword | diff --git a/packages/cisco_nexus/manifest.yml b/packages/cisco_nexus/manifest.yml index eb79fc72f121..592faa1a5a4f 100644 --- a/packages/cisco_nexus/manifest.yml +++ b/packages/cisco_nexus/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: cisco_nexus title: Cisco Nexus -version: "0.18.0" +version: "0.19.0" description: Collect logs from Cisco Nexus with Elastic Agent. type: integration categories: From ff93c7de6477563243a0f7b5643fa4b22aeb6034 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 10:10:53 +0200 Subject: [PATCH 03/14] [cisco_ise] Fix docs --- packages/cisco_ise/docs/README.md | 166 +++++++++++++++--------------- 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 04428f1e8581..0dd17123d412 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -35,166 +35,166 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "86f518cd-51e3-4798-9fa5-e8947dc5d209", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "80f878c2-658d-44da-9195-0431c30ae456", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.10.1" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.9.1" + "version": "8.10.1" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-08-29T17:11:24Z", + "ingested": "2023-09-28T20:36:57Z", "kind": "event", - "original": "\u003c182\u003eApr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { + "device_id": 141, + "inode": 18736897, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -202,16 +202,16 @@ An example event for `log` looks as following: } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -220,7 +220,7 @@ An example event for `log` looks as following: "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } ``` From f7f250ea4ad54e489578c41f18bcf4585b87f556 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 11:06:33 +0200 Subject: [PATCH 04/14] [f5_bigip] Add new filestream fields --- packages/f5_bigip/changelog.yml | 5 +++ .../test/system/test-filestream-config.yml | 6 ++++ .../f5_bigip/data_stream/log/fields/agent.yml | 21 +++++++++++++ .../data_stream/log/sample_event.json | 25 +++++++++------ packages/f5_bigip/docs/README.md | 31 +++++++++++++------ packages/f5_bigip/manifest.yml | 2 +- 6 files changed, 69 insertions(+), 21 deletions(-) diff --git a/packages/f5_bigip/changelog.yml b/packages/f5_bigip/changelog.yml index d02184458cc9..e31c9fa5efb7 100644 --- a/packages/f5_bigip/changelog.yml +++ b/packages/f5_bigip/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.11.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.10.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml index 55948b52c200..45eac279bab1 100644 --- a/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/f5_bigip/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: preserve_duplicate_custom_fields: true paths: - '{{SERVICE_LOGS_DIR}}/*.log' +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/f5_bigip/data_stream/log/fields/agent.yml b/packages/f5_bigip/data_stream/log/fields/agent.yml index 10023a117430..1740ca457d30 100644 --- a/packages/f5_bigip/data_stream/log/fields/agent.yml +++ b/packages/f5_bigip/data_stream/log/fields/agent.yml @@ -181,3 +181,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/f5_bigip/data_stream/log/sample_event.json b/packages/f5_bigip/data_stream/log/sample_event.json index e4329a0dfb52..3a1350d9dfda 100644 --- a/packages/f5_bigip/data_stream/log/sample_event.json +++ b/packages/f5_bigip/data_stream/log/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "e53fc33d-3e0e-4f88-a338-d65c29e5d7de", - "hostname": "docker-fleet-agent", - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "ephemeral_id": "7424b1c1-85c4-4e8c-8f5f-ec6f67672622", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.10.1" }, "client": { "ip": "81.2.69.142" @@ -24,9 +23,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "7.17.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", @@ -34,9 +33,9 @@ "network" ], "dataset": "f5_bigip.log", - "ingested": "2022-10-21T06:12:02Z", + "ingested": "2023-09-29T08:22:16Z", "kind": "event", - "original": "{\"application\":\"app.app\",\"attack_type\":\"Detection Evasion\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"date_time\":\"2018-11-19 22:34:40\",\"dest_ip\":\"81.2.69.142\",\"dest_port\":\"80\",\"device_id\":\"12bdca32\",\"fragment\":\"test_Fragment\",\"geo_location\":\"US\",\"hostname\":\"hostname\",\"http_class_name\":\"/Common/abc/test\",\"ip_address_intelligence\":\"host1\",\"ip_client\":\"81.2.69.142\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"method\":\"GET\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"policy_name\":\"/Common/abc\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"request\":\"GET /admin/.\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"route_domain\":\"example.com\",\"session_id\":\"abc123abcd\",\"severity\":\"Critical\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"src_port\":\"49804\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"staged_threat_campaign_names\":\"test\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"support_id\":\"123456789\",\"telemetryEventCategory\":\"ASM\",\"tenant\":\"Common\",\"threat_campaign_names\":\"threat\",\"uri\":\"/directory/file\",\"username\":\"test User\",\"violation_rating\":\"3\",\"violations\":\"Evasion technique detected\",\"virus_name\":\"test Virus\",\"web_application_name\":\"/Common/abc\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"x_forwarded_for_header_value\":\"81.2.69.144\"}", + "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ "info" ] @@ -151,10 +150,16 @@ } }, "input": { - "type": "http_endpoint" + "type": "filestream" }, "log": { - "level": "critical" + "file": { + "device_id": 141, + "inode": 18837280, + "path": "/tmp/service_logs/log.log" + }, + "level": "critical", + "offset": 1876 }, "network": { "application": "app.app", diff --git a/packages/f5_bigip/docs/README.md b/packages/f5_bigip/docs/README.md index 19b8e62b90d9..068470027508 100644 --- a/packages/f5_bigip/docs/README.md +++ b/packages/f5_bigip/docs/README.md @@ -161,12 +161,11 @@ An example event for `log` looks as following: { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "e53fc33d-3e0e-4f88-a338-d65c29e5d7de", - "hostname": "docker-fleet-agent", - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "ephemeral_id": "7424b1c1-85c4-4e8c-8f5f-ec6f67672622", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.10.1" }, "client": { "ip": "81.2.69.142" @@ -184,9 +183,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "121c9eba-d12d-4405-9bf4-83bc92e8c764", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "7.17.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", @@ -194,9 +193,9 @@ An example event for `log` looks as following: "network" ], "dataset": "f5_bigip.log", - "ingested": "2022-10-21T06:12:02Z", + "ingested": "2023-09-29T08:22:16Z", "kind": "event", - "original": "{\"application\":\"app.app\",\"attack_type\":\"Detection Evasion\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"date_time\":\"2018-11-19 22:34:40\",\"dest_ip\":\"81.2.69.142\",\"dest_port\":\"80\",\"device_id\":\"12bdca32\",\"fragment\":\"test_Fragment\",\"geo_location\":\"US\",\"hostname\":\"hostname\",\"http_class_name\":\"/Common/abc/test\",\"ip_address_intelligence\":\"host1\",\"ip_client\":\"81.2.69.142\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"method\":\"GET\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"policy_name\":\"/Common/abc\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"request\":\"GET /admin/.\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"route_domain\":\"example.com\",\"session_id\":\"abc123abcd\",\"severity\":\"Critical\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"src_port\":\"49804\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"staged_threat_campaign_names\":\"test\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"support_id\":\"123456789\",\"telemetryEventCategory\":\"ASM\",\"tenant\":\"Common\",\"threat_campaign_names\":\"threat\",\"uri\":\"/directory/file\",\"username\":\"test User\",\"violation_rating\":\"3\",\"violations\":\"Evasion technique detected\",\"virus_name\":\"test Virus\",\"web_application_name\":\"/Common/abc\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"x_forwarded_for_header_value\":\"81.2.69.144\"}", + "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ "info" ] @@ -311,10 +310,16 @@ An example event for `log` looks as following: } }, "input": { - "type": "http_endpoint" + "type": "filestream" }, "log": { - "level": "critical" + "file": { + "device_id": 141, + "inode": 18837280, + "path": "/tmp/service_logs/log.log" + }, + "level": "critical", + "offset": 1876 }, "network": { "application": "app.app", @@ -702,7 +707,13 @@ An example event for `log` looks as following: | http.response.status_code | HTTP response status code. | long | | http.version | HTTP version. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | diff --git a/packages/f5_bigip/manifest.yml b/packages/f5_bigip/manifest.yml index f254e0f6ff28..937fbb07119d 100644 --- a/packages/f5_bigip/manifest.yml +++ b/packages/f5_bigip/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: f5_bigip title: F5 BIG-IP -version: "1.10.0" +version: "1.11.0" description: Collect logs from F5 BIG-IP with Elastic Agent. type: integration categories: From 640ae35ee4078b8df8c993dc27135b39384f26df Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 11:52:00 +0200 Subject: [PATCH 05/14] Fix CI errors --- packages/cisco_ise/changelog.yml | 2 +- .../data_stream/log/fields/agent.yml | 1 - .../data_stream/log/sample_event.json | 160 +++++++++--------- packages/cisco_ise/docs/README.md | 158 ++++++++--------- .../data_stream/log/sample_event.json | 6 +- packages/cisco_nexus/docs/README.md | 6 +- 6 files changed, 168 insertions(+), 165 deletions(-) diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index 0e6e0ee4d022..510c5507c17d 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -10,7 +10,7 @@ type: enhancement link: https://github.com/elastic/integrations/pull/7905 - version: 1.15.0 - changes: + changes: - description: "The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest." type: enhancement link: https://github.com/elastic/integrations/pull/7883 diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index becfd8bef824..828129a0f719 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -196,4 +196,3 @@ - name: vol type: keyword description: The serial number of the volume that contains a file. (Windows-only) - diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 2be1030b524d..02d622e3810e 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,7 +1,7 @@ { - "@timestamp": "2020-02-21T19:13:08.328Z", + "@timestamp": "2020-04-27T11:11:47.028-08:00", "agent": { - "ephemeral_id": "80f878c2-658d-44da-9195-0431c30ae456", + "ephemeral_id": "4fb324f6-0ab6-4de4-a7df-697bf22a882a", "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", @@ -10,117 +10,119 @@ "cisco_ise": { "log": { "acct": { - "request": { - "flags": "Stop" + "authentic": "RADIUS", + "session": { + "id": "00000000/d4:ca:6d:14:87:3b/20879" + }, + "status": { + "type": "Start" } }, "acs": { "session": { - "id": "ldnnacpsn1/359344348/952729" + "id": "hijk.xyz.com/176956368/1092777" + } + }, + "airespace": { + "wlan": { + "id": 1 + } + }, + "allowed_protocol": { + "matched": { + "rule": "Default" } }, - "authen_method": "TacacsPlus", - "avpair": { - "priv_lvl": 15, - "start_time": "2020-03-26T01:17:12.000Z", - "task_id": "2962", - "timezone": "GMT" + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "d4-ca-6d-14-87-3b" }, "category": { - "name": "CISE_TACACS_Accounting" + "name": "CISE_RADIUS_Accounting" }, - "cmdset": "[ CmdAV=show mac-address-table ]", + "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", "config_version": { - "id": 1829 + "id": 33 }, "cpm": { "session": { - "id": "81.2.69.144Accounting306034364" + "id": "0a222bc0000000d123e111f0" } }, - "device": { - "type": [ - "Device Type#All Device Types#Routers", - "Device Type#All Device Types#Routers" - ] + "event": { + "timestamp": "2014-01-10T07:59:55.000Z" }, - "ipsec": [ - "IPSEC#Is IPSEC Device", - "IPSEC#Is IPSEC Device" - ], - "location": [ - "Location#All Locations#EMEA", - "Location#All Locations#EMEA" - ], - "message": { - "code": "3300", - "description": "Tacacs-Accounting: TACACS+ Accounting with Command", - "id": "0000000001" + "framed": { + "ip": "81.2.69.145" }, - "model": { - "name": "Unknown" + "location": "Location#All Locations#SJC#WNBU", + "message": { + "code": "3000", + "description": "Radius-Accounting: RADIUS Accounting start request", + "id": "0000070618" + }, + "nas": { + "identifier": "Acme_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } }, "network": { "device": { "groups": [ - "Location#All Locations#EMEA", - "Device Type#All Device Types#Routers", - "IPSEC#Is IPSEC Device" + "Location#All Locations#SJC#WNBU", + "Device Type#All Device Types#Wireless#WLC" ], - "name": "wlnwan1", - "profile": [ - "Cisco", - "Cisco" - ] + "name": "WNBU-WLC1" } }, - "port": "tty10", - "privilege": { - "level": 15 - }, "request": { - "latency": 1 - }, - "response": { - "AcctReply-Status": "Success" + "latency": 6 }, "segment": { "number": 0, - "total": 4 + "total": 1 }, "selected": { "access": { - "service": "Device Admin - TACACS" + "service": "Default Network Access" } }, - "service": { - "argument": "shell", - "name": "Login" - }, - "software": { - "version": "Unknown" - }, "step": [ - "13006", + "11004", + "11017", "15049", "15008", "15048", - "13035" + "15048", + "15048", + "15004", + "15006", + "11005" ], - "type": "Accounting" + "tunnel": { + "medium": { + "type": "(tag=0) 802" + }, + "private": { + "group_id": "(tag=0) 70" + }, + "type": "(tag=0) VLAN" + } } }, "client": { - "ip": "81.2.69.144" + "ip": "81.2.69.145" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, - "destination": { - "ip": "81.2.69.144" - }, "ecs": { "version": "8.10.0" }, @@ -130,23 +132,23 @@ "version": "8.10.1" }, "event": { - "action": "tacacs-accounting", + "action": "radius-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-09-28T20:36:57Z", + "ingested": "2023-09-29T09:49:22Z", "kind": "event", - "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", - "sequence": 18415781, - "timezone": "+00:00", + "original": "<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "sequence": 91827141, + "timezone": "-08:00", "type": [ "info" ] }, "host": { - "hostname": "cisco-ise-host" + "hostname": "hijk.xyz.com" }, "input": { "type": "filestream" @@ -154,11 +156,11 @@ "log": { "file": { "device_id": 141, - "inode": 18736897, + "inode": 18853370, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 71596, + "offset": 44899, "syslog": { "priority": 182, "severity": { @@ -166,16 +168,16 @@ } } }, - "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", "related": { "hosts": [ - "cisco-ise-host" + "hijk.xyz.com" ], "ip": [ - "81.2.69.144" + "81.2.69.145" ], "user": [ - "psxvne" + "nisehorrrrn" ] }, "tags": [ @@ -184,6 +186,6 @@ "cisco_ise-log" ], "user": { - "name": "psxvne" + "name": "nisehorrrrn" } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 0dd17123d412..8bbc2ba4b04a 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -35,9 +35,9 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2020-02-21T19:13:08.328Z", + "@timestamp": "2020-04-27T11:11:47.028-08:00", "agent": { - "ephemeral_id": "80f878c2-658d-44da-9195-0431c30ae456", + "ephemeral_id": "4fb324f6-0ab6-4de4-a7df-697bf22a882a", "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", @@ -46,117 +46,119 @@ An example event for `log` looks as following: "cisco_ise": { "log": { "acct": { - "request": { - "flags": "Stop" + "authentic": "RADIUS", + "session": { + "id": "00000000/d4:ca:6d:14:87:3b/20879" + }, + "status": { + "type": "Start" } }, "acs": { "session": { - "id": "ldnnacpsn1/359344348/952729" + "id": "hijk.xyz.com/176956368/1092777" + } + }, + "airespace": { + "wlan": { + "id": 1 + } + }, + "allowed_protocol": { + "matched": { + "rule": "Default" } }, - "authen_method": "TacacsPlus", - "avpair": { - "priv_lvl": 15, - "start_time": "2020-03-26T01:17:12.000Z", - "task_id": "2962", - "timezone": "GMT" + "called_station": { + "id": "00-24-97-69-7a-c0" + }, + "calling_station": { + "id": "d4-ca-6d-14-87-3b" }, "category": { - "name": "CISE_TACACS_Accounting" + "name": "CISE_RADIUS_Accounting" }, - "cmdset": "[ CmdAV=show mac-address-table ]", + "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", "config_version": { - "id": 1829 + "id": 33 }, "cpm": { "session": { - "id": "81.2.69.144Accounting306034364" + "id": "0a222bc0000000d123e111f0" } }, - "device": { - "type": [ - "Device Type#All Device Types#Routers", - "Device Type#All Device Types#Routers" - ] + "event": { + "timestamp": "2014-01-10T07:59:55.000Z" }, - "ipsec": [ - "IPSEC#Is IPSEC Device", - "IPSEC#Is IPSEC Device" - ], - "location": [ - "Location#All Locations#EMEA", - "Location#All Locations#EMEA" - ], + "framed": { + "ip": "81.2.69.145" + }, + "location": "Location#All Locations#SJC#WNBU", "message": { - "code": "3300", - "description": "Tacacs-Accounting: TACACS+ Accounting with Command", - "id": "0000000001" + "code": "3000", + "description": "Radius-Accounting: RADIUS Accounting start request", + "id": "0000070618" }, - "model": { - "name": "Unknown" + "nas": { + "identifier": "Acme_fe:56:00", + "ip": "81.2.69.145", + "port": { + "number": 13, + "type": "Wireless - IEEE 802.11" + } }, "network": { "device": { "groups": [ - "Location#All Locations#EMEA", - "Device Type#All Device Types#Routers", - "IPSEC#Is IPSEC Device" + "Location#All Locations#SJC#WNBU", + "Device Type#All Device Types#Wireless#WLC" ], - "name": "wlnwan1", - "profile": [ - "Cisco", - "Cisco" - ] + "name": "WNBU-WLC1" } }, - "port": "tty10", - "privilege": { - "level": 15 - }, "request": { - "latency": 1 - }, - "response": { - "AcctReply-Status": "Success" + "latency": 6 }, "segment": { "number": 0, - "total": 4 + "total": 1 }, "selected": { "access": { - "service": "Device Admin - TACACS" + "service": "Default Network Access" } }, - "service": { - "argument": "shell", - "name": "Login" - }, - "software": { - "version": "Unknown" - }, "step": [ - "13006", + "11004", + "11017", "15049", "15008", "15048", - "13035" + "15048", + "15048", + "15004", + "15006", + "11005" ], - "type": "Accounting" + "tunnel": { + "medium": { + "type": "(tag=0) 802" + }, + "private": { + "group_id": "(tag=0) 70" + }, + "type": "(tag=0) VLAN" + } } }, "client": { - "ip": "81.2.69.144" + "ip": "81.2.69.145" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, - "destination": { - "ip": "81.2.69.144" - }, "ecs": { "version": "8.10.0" }, @@ -166,23 +168,23 @@ An example event for `log` looks as following: "version": "8.10.1" }, "event": { - "action": "tacacs-accounting", + "action": "radius-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-09-28T20:36:57Z", + "ingested": "2023-09-29T09:49:22Z", "kind": "event", - "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", - "sequence": 18415781, - "timezone": "+00:00", + "original": "<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "sequence": 91827141, + "timezone": "-08:00", "type": [ "info" ] }, "host": { - "hostname": "cisco-ise-host" + "hostname": "hijk.xyz.com" }, "input": { "type": "filestream" @@ -190,11 +192,11 @@ An example event for `log` looks as following: "log": { "file": { "device_id": 141, - "inode": 18736897, + "inode": 18853370, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 71596, + "offset": 44899, "syslog": { "priority": 182, "severity": { @@ -202,16 +204,16 @@ An example event for `log` looks as following: } } }, - "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", "related": { "hosts": [ - "cisco-ise-host" + "hijk.xyz.com" ], "ip": [ - "81.2.69.144" + "81.2.69.145" ], "user": [ - "psxvne" + "nisehorrrrn" ] }, "tags": [ @@ -220,7 +222,7 @@ An example event for `log` looks as following: "cisco_ise-log" ], "user": { - "name": "psxvne" + "name": "nisehorrrrn" } } ``` diff --git a/packages/cisco_nexus/data_stream/log/sample_event.json b/packages/cisco_nexus/data_stream/log/sample_event.json index 5f723324439f..df07e6a5aeda 100644 --- a/packages/cisco_nexus/data_stream/log/sample_event.json +++ b/packages/cisco_nexus/data_stream/log/sample_event.json @@ -1,7 +1,7 @@ { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "c26767a5-820b-4d00-baa4-91a2ccb68a2f", + "ephemeral_id": "eb61ca35-ffda-44d8-8daf-6412d75b3f1f", "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", @@ -40,7 +40,7 @@ ], "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-09-28T21:03:12Z", + "ingested": "2023-09-29T09:33:45Z", "kind": "event", "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "severity": 3, @@ -54,7 +54,7 @@ "log": { "level": "error", "source": { - "address": "192.168.192.4:45126" + "address": "192.168.192.4:38964" }, "syslog": { "facility": { diff --git a/packages/cisco_nexus/docs/README.md b/packages/cisco_nexus/docs/README.md index c12c20ff3ac4..b9e2be3c3654 100644 --- a/packages/cisco_nexus/docs/README.md +++ b/packages/cisco_nexus/docs/README.md @@ -46,7 +46,7 @@ An example event for `log` looks as following: { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "c26767a5-820b-4d00-baa4-91a2ccb68a2f", + "ephemeral_id": "eb61ca35-ffda-44d8-8daf-6412d75b3f1f", "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", @@ -85,7 +85,7 @@ An example event for `log` looks as following: ], "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-09-28T21:03:12Z", + "ingested": "2023-09-29T09:33:45Z", "kind": "event", "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "severity": 3, @@ -99,7 +99,7 @@ An example event for `log` looks as following: "log": { "level": "error", "source": { - "address": "192.168.192.4:45126" + "address": "192.168.192.4:38964" }, "syslog": { "facility": { From c47e87ac918f191786963ca3909761ee82f65423 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 13:31:29 +0200 Subject: [PATCH 06/14] [fortinet_fortimail] Add new filestream fields --- packages/fortinet_fortimail/changelog.yml | 5 ++++ .../_dev/test/system/test-logfile-config.yml | 6 +++++ .../data_stream/log/fields/beats.yml | 21 ++++++++++++++++ .../data_stream/log/sample_event.json | 18 +++++++------- packages/fortinet_fortimail/docs/README.md | 24 ++++++++++++------- packages/fortinet_fortimail/manifest.yml | 2 +- 6 files changed, 57 insertions(+), 19 deletions(-) diff --git a/packages/fortinet_fortimail/changelog.yml b/packages/fortinet_fortimail/changelog.yml index 3a0df872f10e..9f6ba4e62c6a 100644 --- a/packages/fortinet_fortimail/changelog.yml +++ b/packages/fortinet_fortimail/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.10.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 2.9.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml index c30d11512934..8344183897b6 100644 --- a/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/fortinet_fortimail/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*fortimail*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/fortinet_fortimail/data_stream/log/fields/beats.yml b/packages/fortinet_fortimail/data_stream/log/fields/beats.yml index 80cbae91caed..02620450bd73 100644 --- a/packages/fortinet_fortimail/data_stream/log/fields/beats.yml +++ b/packages/fortinet_fortimail/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/fortinet_fortimail/data_stream/log/sample_event.json b/packages/fortinet_fortimail/data_stream/log/sample_event.json index 1bcff9a006fc..21b60eece1ba 100644 --- a/packages/fortinet_fortimail/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimail/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "d71bab02-1a42-4119-ae2a-78113cf3e0c2", - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "ephemeral_id": "72562740-51f7-47c3-9398-83330775b2e3", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.1" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -19,9 +19,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.3.0" + "version": "8.10.1" }, "email": { "direction": "unknown", @@ -42,9 +42,9 @@ "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-03-16T06:09:49Z", + "ingested": "2023-09-29T11:24:14Z", "kind": "event", - "original": "\u003c187\u003edate=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", + "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" }, "fortinet_fortimail": { @@ -75,12 +75,12 @@ } }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "information", "source": { - "address": "172.23.0.5:36516" + "address": "192.168.192.4:56080" }, "syslog": { "facility": { diff --git a/packages/fortinet_fortimail/docs/README.md b/packages/fortinet_fortimail/docs/README.md index 5ff2003b121a..9a843e9d32b7 100644 --- a/packages/fortinet_fortimail/docs/README.md +++ b/packages/fortinet_fortimail/docs/README.md @@ -56,11 +56,11 @@ An example event for `log` looks as following: { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "d71bab02-1a42-4119-ae2a-78113cf3e0c2", - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "ephemeral_id": "72562740-51f7-47c3-9398-83330775b2e3", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.1" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -74,9 +74,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "5fcd6016-3c0e-45e7-b624-cc2a254f1769", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.3.0" + "version": "8.10.1" }, "email": { "direction": "unknown", @@ -97,9 +97,9 @@ An example event for `log` looks as following: "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-03-16T06:09:49Z", + "ingested": "2023-09-29T11:24:14Z", "kind": "event", - "original": "\u003c187\u003edate=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", + "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" }, "fortinet_fortimail": { @@ -130,12 +130,12 @@ An example event for `log` looks as following: } }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "information", "source": { - "address": "172.23.0.5:36516" + "address": "192.168.192.4:56080" }, "syslog": { "facility": { @@ -243,6 +243,12 @@ An example event for `log` looks as following: | fortinet_fortimail.log.virus | | keyword | | fortinet_fortimail.log.xfer_time | | double | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | tags | User defined tags. | keyword | diff --git a/packages/fortinet_fortimail/manifest.yml b/packages/fortinet_fortimail/manifest.yml index f3ea1e125f27..c4adb4460049 100644 --- a/packages/fortinet_fortimail/manifest.yml +++ b/packages/fortinet_fortimail/manifest.yml @@ -1,6 +1,6 @@ name: fortinet_fortimail title: Fortinet FortiMail -version: "2.9.0" +version: "2.10.0" description: Collect logs from Fortinet FortiMail instances with Elastic Agent. type: integration format_version: "3.0.0" From e0e31e594c48399e8d661a02bd5f5c25cd3df52a Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 13:37:17 +0200 Subject: [PATCH 07/14] [fortinet_fortimanager] Add new filestream fields --- packages/fortinet_fortimanager/changelog.yml | 5 ++++ .../_dev/test/system/test-logfile-config.yml | 6 ++++ .../data_stream/log/fields/beats.yml | 21 ++++++++++++++ .../data_stream/log/sample_event.json | 22 +++++++-------- packages/fortinet_fortimanager/docs/README.md | 28 +++++++++++-------- packages/fortinet_fortimanager/manifest.yml | 2 +- 6 files changed, 59 insertions(+), 25 deletions(-) diff --git a/packages/fortinet_fortimanager/changelog.yml b/packages/fortinet_fortimanager/changelog.yml index 85c110849977..f55882fb5745 100644 --- a/packages/fortinet_fortimanager/changelog.yml +++ b/packages/fortinet_fortimanager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.8.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 2.7.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml index 3070c5c99a59..bdab5f3bba1e 100644 --- a/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/fortinet_fortimanager/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: - "{{SERVICE_LOGS_DIR}}/*fortimanager*.log" preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml b/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml index b3701b581cf4..3a663ab68fb8 100644 --- a/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml +++ b/packages/fortinet_fortimanager/data_stream/log/fields/beats.yml @@ -7,3 +7,24 @@ - name: tags type: keyword description: User defined tags. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/fortinet_fortimanager/data_stream/log/sample_event.json b/packages/fortinet_fortimanager/data_stream/log/sample_event.json index 790a263a84f5..9c6890bf1c34 100644 --- a/packages/fortinet_fortimanager/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimanager/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "99dc35a7-262c-432b-b09a-0448f5c39a96", - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "ephemeral_id": "571642d6-afbf-444b-a9ac-b4a282112ade", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.1" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -19,19 +19,17 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.3.0" + "version": "8.10.1" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-02-28T07:54:06Z", - "kind": [ - "event" - ], - "original": "\u003c134\u003edate=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", + "ingested": "2023-09-29T11:36:28Z", + "kind": "event", + "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", "type": [ "info" @@ -67,11 +65,11 @@ "hostname": "Crest-Elastic-FMG-VM64" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "172.20.0.1:56706" + "address": "192.168.192.4:54028" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", diff --git a/packages/fortinet_fortimanager/docs/README.md b/packages/fortinet_fortimanager/docs/README.md index d87f4448e643..9b1b315cbe64 100644 --- a/packages/fortinet_fortimanager/docs/README.md +++ b/packages/fortinet_fortimanager/docs/README.md @@ -50,11 +50,11 @@ An example event for `log` looks as following: { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "99dc35a7-262c-432b-b09a-0448f5c39a96", - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "ephemeral_id": "571642d6-afbf-444b-a9ac-b4a282112ade", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.3.0" + "version": "8.10.1" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -68,19 +68,17 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "207d005f-24c8-4c18-9523-e040132174ee", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.3.0" + "version": "8.10.1" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-02-28T07:54:06Z", - "kind": [ - "event" - ], - "original": "\u003c134\u003edate=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", + "ingested": "2023-09-29T11:36:28Z", + "kind": "event", + "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", "type": [ "info" @@ -116,11 +114,11 @@ An example event for `log` looks as following: "hostname": "Crest-Elastic-FMG-VM64" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "172.20.0.1:56706" + "address": "192.168.192.4:54028" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", @@ -336,7 +334,13 @@ An example event for `log` looks as following: | fortimanager.log.whitelist_size | The size of white list table. | keyword | | fortimanager.log.zip_path | The name of the gzip file being transferred to the server. | keyword | | input.type | Type of filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | diff --git a/packages/fortinet_fortimanager/manifest.yml b/packages/fortinet_fortimanager/manifest.yml index 5bf95d1b1fbc..0ef43ccc530c 100644 --- a/packages/fortinet_fortimanager/manifest.yml +++ b/packages/fortinet_fortimanager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: fortinet_fortimanager title: Fortinet FortiManager Logs -version: "2.7.0" +version: "2.8.0" description: Collect logs from Fortinet FortiManager instances with Elastic Agent. type: integration categories: ["security", "network", "firewall_security"] From fdc47a0ec5945dfc539ca2eddd3e3dacfc128afd Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 14:16:20 +0200 Subject: [PATCH 08/14] [juniper_srx] Add new filestream fields --- packages/juniper_srx/changelog.yml | 5 +++++ .../_dev/test/system/test-logfile-config.yml | 6 ++++++ .../data_stream/log/fields/agent.yml | 21 +++++++++++++++++++ .../data_stream/log/sample_event.json | 19 ++++++++++------- packages/juniper_srx/docs/README.md | 6 ++++++ packages/juniper_srx/manifest.yml | 2 +- 6 files changed, 50 insertions(+), 9 deletions(-) diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index d2026962f21d..a4eb056e6981 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.17.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: "1.16.1" changes: - description: Removing unused ECS field declarations. diff --git a/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml index 2253a06d48eb..2128256c0c74 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/juniper_srx/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -4,3 +4,9 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/*srx*.log" +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/juniper_srx/data_stream/log/fields/agent.yml b/packages/juniper_srx/data_stream/log/fields/agent.yml index d30923aab30d..004cafbe2069 100644 --- a/packages/juniper_srx/data_stream/log/fields/agent.yml +++ b/packages/juniper_srx/data_stream/log/fields/agent.yml @@ -70,3 +70,24 @@ - name: log.source.address type: keyword description: Source address of the syslog message. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/juniper_srx/data_stream/log/sample_event.json b/packages/juniper_srx/data_stream/log/sample_event.json index 594ed585dfee..e93968f721d6 100644 --- a/packages/juniper_srx/data_stream/log/sample_event.json +++ b/packages/juniper_srx/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2016-02-18T01:32:50.391Z", "agent": { - "ephemeral_id": "468e3921-9867-43fa-8cc6-d8b5ccb54a25", - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "ephemeral_id": "20ac282b-bb1c-455a-a03a-9aef5ea91cc2", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.10.1" }, "client": { "ip": "192.168.1.100", @@ -36,9 +36,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.10.1" }, "event": { "action": "web_filter", @@ -48,7 +48,7 @@ "malware" ], "dataset": "juniper_srx.log", - "ingested": "2022-01-01T23:05:23Z", + "ingested": "2023-09-29T11:56:10Z", "kind": "alert", "outcome": "success", "severity": 12, @@ -60,7 +60,7 @@ ] }, "input": { - "type": "udp" + "type": "tcp" }, "juniper": { "srx": { @@ -74,7 +74,7 @@ "log": { "level": "warning", "source": { - "address": "172.18.0.7:60328" + "address": "192.168.192.4:53704" } }, "observer": { @@ -83,6 +83,9 @@ "type": "firewall", "vendor": "Juniper" }, + "process": { + "name": "RT_UTM" + }, "related": { "hosts": [ "www.baidu.com" diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index ad6ef84eab23..0e66143304cc 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -435,7 +435,13 @@ The following processes and tags are supported: | juniper.srx.verdict_number | verdict number | integer | | juniper.srx.verdict_source | verdict source | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Byte offset of the log line within its file. | long | diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index acd8cc9c501f..42d2ace70a79 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: juniper_srx title: Juniper SRX -version: "1.16.1" +version: "1.17.0" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration From 5a132466fce8e32a1646367f6bfdedb53febd7ea Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Fri, 29 Sep 2023 14:38:20 +0200 Subject: [PATCH 09/14] [keycloak] Add filestream fields --- packages/keycloak/changelog.yml | 5 +++++ .../_dev/test/system/test-logfile-config.yml | 6 ++++++ .../system/test-logfile-non-utc-config.yml | 6 ++++++ .../keycloak/data_stream/log/fields/beats.yml | 21 +++++++++++++++++++ packages/keycloak/docs/README.md | 6 ++++++ packages/keycloak/manifest.yml | 2 +- 6 files changed, 45 insertions(+), 1 deletion(-) diff --git a/packages/keycloak/changelog.yml b/packages/keycloak/changelog.yml index d0358d45615c..948cd5098f04 100644 --- a/packages/keycloak/changelog.yml +++ b/packages/keycloak/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.15.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: "1.14.0" changes: - description: Update package to ECS 8.10.0 and align ECS categorization fields. diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml index b9aae2f62f04..22170cc500ec 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -8,3 +8,9 @@ data_stream: preserve_original_event: true tz_offset: -05:00 only_user_events: false +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml index 7ab124c3e813..eb587fbc368d 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml @@ -8,3 +8,9 @@ data_stream: preserve_original_event: true tz_offset: "+05:00" only_user_events: false +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/keycloak/data_stream/log/fields/beats.yml b/packages/keycloak/data_stream/log/fields/beats.yml index cb44bb29442a..4e189f20187d 100644 --- a/packages/keycloak/data_stream/log/fields/beats.yml +++ b/packages/keycloak/data_stream/log/fields/beats.yml @@ -10,3 +10,24 @@ - name: log.file.path type: keyword description: Path to the log file. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/keycloak/docs/README.md b/packages/keycloak/docs/README.md index 44534f425a19..84f35f428e5f 100644 --- a/packages/keycloak/docs/README.md +++ b/packages/keycloak/docs/README.md @@ -87,7 +87,13 @@ to your configuration XML file (ie standalone.xml) under the path below | keycloak.login.redirect_uri | Keycloak redirect URL | keyword | | keycloak.login.type | Event Type | keyword | | keycloak.realm.id | Keycloak Realm ID | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Path to the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | diff --git a/packages/keycloak/manifest.yml b/packages/keycloak/manifest.yml index 7d3f449fc9b0..e43a047d6dee 100644 --- a/packages/keycloak/manifest.yml +++ b/packages/keycloak/manifest.yml @@ -1,6 +1,6 @@ name: keycloak title: Keycloak -version: "1.14.0" +version: "1.15.0" description: Collect logs from Keycloak with Elastic Agent. type: integration format_version: 2.11.0 From 7ab69b41bf13f2391954f679e01cc65eb82a6a66 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Mon, 2 Oct 2023 15:59:04 +0200 Subject: [PATCH 10/14] [mysql_enterprise] Add new filestream fields --- .../_dev/deploy/docker/docker-compose.yml | 3 ++- packages/mysql_enterprise/changelog.yml | 5 +++++ .../_dev/test/system/test-logfile-config.yml | 6 ++++++ .../data_stream/audit/fields/agent.yml | 21 +++++++++++++++++++ packages/mysql_enterprise/docs/README.md | 6 ++++++ packages/mysql_enterprise/manifest.yml | 2 +- 6 files changed, 41 insertions(+), 2 deletions(-) diff --git a/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml b/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml index 0c79377b3c24..efdcd8f5cfa7 100644 --- a/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml +++ b/packages/mysql_enterprise/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,8 @@ -version: '2.3' +version: '3' services: mysql-audit-logfile: image: alpine + tty: true volumes: - ./sample_logs:/sample_logs:rw - ${SERVICE_LOGS_DIR}:/var/log diff --git a/packages/mysql_enterprise/changelog.yml b/packages/mysql_enterprise/changelog.yml index 9b84052ea2ad..6191937d3e32 100644 --- a/packages/mysql_enterprise/changelog.yml +++ b/packages/mysql_enterprise/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.13.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.12.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml b/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml index 162b5355097f..1744417cf7e9 100644 --- a/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml +++ b/packages/mysql_enterprise/data_stream/audit/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,9 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/mysql_audit.log" +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/mysql_enterprise/data_stream/audit/fields/agent.yml b/packages/mysql_enterprise/data_stream/audit/fields/agent.yml index e313ec82874b..de557702e493 100644 --- a/packages/mysql_enterprise/data_stream/audit/fields/agent.yml +++ b/packages/mysql_enterprise/data_stream/audit/fields/agent.yml @@ -202,3 +202,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/mysql_enterprise/docs/README.md b/packages/mysql_enterprise/docs/README.md index 777b9c23e857..328180d824a8 100644 --- a/packages/mysql_enterprise/docs/README.md +++ b/packages/mysql_enterprise/docs/README.md @@ -68,7 +68,13 @@ The `audit` dataset collects MySQL Enterprise Audit logs. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset | long | | message | human-readable summary of the event | text | | mysqlenterprise.audit.account.host | A string representing the client host name. | keyword | diff --git a/packages/mysql_enterprise/manifest.yml b/packages/mysql_enterprise/manifest.yml index 68ddfb2d6951..7232d0ddd8a4 100644 --- a/packages/mysql_enterprise/manifest.yml +++ b/packages/mysql_enterprise/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: mysql_enterprise title: "MySQL Enterprise" -version: "1.12.0" +version: "1.13.0" description: Collect audit logs from MySQL Enterprise with Elastic Agent. type: integration categories: From 209cf89e3c4742da59c88622713e8416128c149a Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 3 Oct 2023 10:25:10 +0200 Subject: [PATCH 11/14] [hid_bravura_monitor] Add filestream fields --- packages/hid_bravura_monitor/changelog.yml | 5 +++++ .../test/system/test-filestream-config.yml | 6 ++++++ .../data_stream/log/fields/agent.yml | 21 +++++++++++++++++++ packages/hid_bravura_monitor/docs/README.md | 6 ++++++ packages/hid_bravura_monitor/manifest.yml | 2 +- 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/packages/hid_bravura_monitor/changelog.yml b/packages/hid_bravura_monitor/changelog.yml index c4b185679477..78aace8b9acf 100644 --- a/packages/hid_bravura_monitor/changelog.yml +++ b/packages/hid_bravura_monitor/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.15.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.14.0 changes: - description: Set 'partner' owner type. diff --git a/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml index 4bd67e9c0f17..66d27b8edba1 100644 --- a/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/hid_bravura_monitor/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -5,3 +5,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/*.log" preserve_original_event: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml b/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml index f9c19a6fedc1..2e752145ee17 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/agent.yml @@ -202,3 +202,24 @@ - name: log.source.address type: keyword description: Source address from which the log event was read / sent from. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index cff29e5d7fd9..3f11458fdae9 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -349,7 +349,13 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | diff --git a/packages/hid_bravura_monitor/manifest.yml b/packages/hid_bravura_monitor/manifest.yml index c0cb77af448b..36a3975e1fb6 100644 --- a/packages/hid_bravura_monitor/manifest.yml +++ b/packages/hid_bravura_monitor/manifest.yml @@ -1,6 +1,6 @@ name: hid_bravura_monitor title: Bravura Monitor -version: "1.14.0" +version: "1.15.0" categories: ["security", "iam"] description: Collect logs from Bravura Security Fabric with Elastic Agent. type: integration From 98329b0d517aa79bef5ac26501d9c1273ec56e72 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 3 Oct 2023 10:28:02 +0200 Subject: [PATCH 12/14] [sysmon_linux] Add new filestream fields --- packages/sysmon_linux/changelog.yml | 5 +++++ .../test/system/test-filestream-config.yml | 6 ++++++ .../data_stream/log/fields/beats.yml | 21 +++++++++++++++++++ packages/sysmon_linux/docs/README.md | 6 ++++++ packages/sysmon_linux/manifest.yml | 2 +- 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/packages/sysmon_linux/changelog.yml b/packages/sysmon_linux/changelog.yml index de430b7ce9c2..b0d43a55f906 100644 --- a/packages/sysmon_linux/changelog.yml +++ b/packages/sysmon_linux/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.5.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.4.0 changes: - description: ECS version updated to 8.10.0. diff --git a/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml index 1240532efb8b..f5d98aedca89 100644 --- a/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml +++ b/packages/sysmon_linux/data_stream/log/_dev/test/system/test-filestream-config.yml @@ -5,3 +5,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/*.log" preserve_original_event: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/sysmon_linux/data_stream/log/fields/beats.yml b/packages/sysmon_linux/data_stream/log/fields/beats.yml index 3c48f1f224fb..f37017112692 100644 --- a/packages/sysmon_linux/data_stream/log/fields/beats.yml +++ b/packages/sysmon_linux/data_stream/log/fields/beats.yml @@ -1,3 +1,24 @@ - name: input.type type: keyword description: Type of Filebeat input. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/sysmon_linux/docs/README.md b/packages/sysmon_linux/docs/README.md index 2d6562ff2cbb..5d489a5b6db2 100644 --- a/packages/sysmon_linux/docs/README.md +++ b/packages/sysmon_linux/docs/README.md @@ -195,7 +195,13 @@ An example event for `log` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | diff --git a/packages/sysmon_linux/manifest.yml b/packages/sysmon_linux/manifest.yml index aab3e0c69345..7d65bb7f993f 100644 --- a/packages/sysmon_linux/manifest.yml +++ b/packages/sysmon_linux/manifest.yml @@ -1,6 +1,6 @@ name: sysmon_linux title: Sysmon for Linux -version: "1.4.0" +version: "1.5.0" description: Collect Sysmon Linux logs with Elastic Agent. type: integration categories: From d1419f9374df1a67f3e662d44ab252746f0035c7 Mon Sep 17 00:00:00 2001 From: Bharat Pasupula Date: Tue, 3 Oct 2023 11:00:36 +0200 Subject: [PATCH 13/14] [trendmicro] Add new filestream fields --- packages/trendmicro/changelog.yml | 5 +++++ .../test/system/test-filestream-config.yml | 6 ++++++ .../deep_security/fields/agent.yml | 21 +++++++++++++++++++ packages/trendmicro/docs/README.md | 6 ++++++ packages/trendmicro/manifest.yml | 2 +- 5 files changed, 39 insertions(+), 1 deletion(-) diff --git a/packages/trendmicro/changelog.yml b/packages/trendmicro/changelog.yml index 81deb58137a8..bb51b0b327eb 100644 --- a/packages/trendmicro/changelog.yml +++ b/packages/trendmicro/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.6.0 + changes: + - description: Adapt fields for changes in file system info + type: enhancement + link: https://github.com/elastic/integrations/pull/8014 - version: 1.5.0 changes: - description: Set 'community' owner type. diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml index 04f01c2e5cd2..d090f11e703f 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-filestream-config.yml @@ -6,3 +6,9 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/trendmicro.log" decode_trendmicro_timezone: UTC +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/trendmicro/data_stream/deep_security/fields/agent.yml b/packages/trendmicro/data_stream/deep_security/fields/agent.yml index 39d9ad741011..df8246bfab2e 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/agent.yml +++ b/packages/trendmicro/data_stream/deep_security/fields/agent.yml @@ -187,3 +187,24 @@ - name: log.offset type: long description: Log offset +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) diff --git a/packages/trendmicro/docs/README.md b/packages/trendmicro/docs/README.md index 8e96d9548afb..46d7d7ced412 100644 --- a/packages/trendmicro/docs/README.md +++ b/packages/trendmicro/docs/README.md @@ -101,7 +101,13 @@ Deep Security logs collect the trendmicro deep security logs. | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | | log.offset | Log offset | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | diff --git a/packages/trendmicro/manifest.yml b/packages/trendmicro/manifest.yml index 981e676c7068..715d4c26f81b 100644 --- a/packages/trendmicro/manifest.yml +++ b/packages/trendmicro/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: trendmicro title: "Trendmicro" -version: "1.5.0" +version: "1.6.0" description: "collect Trendmicro Deep Security events with elastic agent." type: integration categories: From fa534b1f297414944209315e4b2a0f3120bac0f3 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 3 Oct 2023 12:40:48 +0200 Subject: [PATCH 14/14] running system tests and generating new readme --- .../data_stream/log/sample_event.json | 170 +++++++++--------- packages/cisco_ise/docs/README.md | 168 +++++++++-------- .../data_stream/log/sample_event.json | 14 +- packages/cisco_nexus/docs/README.md | 14 +- .../data_stream/log/sample_event.json | 16 +- packages/f5_bigip/docs/README.md | 16 +- .../data_stream/log/sample_event.json | 14 +- packages/fortinet_fortimail/docs/README.md | 14 +- .../data_stream/log/sample_event.json | 14 +- packages/fortinet_fortimanager/docs/README.md | 14 +- .../data_stream/log/sample_event.json | 27 +-- packages/hid_bravura_monitor/docs/README.md | 27 +-- packages/hid_bravura_monitor/validation.yml | 2 +- .../data_stream/log/sample_event.json | 14 +- .../data_stream/log/sample_event.json | 28 +-- packages/keycloak/docs/README.md | 28 +-- .../data_stream/audit/sample_event.json | 22 +-- packages/mysql_enterprise/docs/README.md | 22 +-- .../data_stream/log/sample_event.json | 24 +-- packages/sysmon_linux/docs/README.md | 24 +-- packages/sysmon_linux/validation.yml | 2 +- .../deep_security/sample_event.json | 14 +- 22 files changed, 352 insertions(+), 336 deletions(-) diff --git a/packages/cisco_ise/data_stream/log/sample_event.json b/packages/cisco_ise/data_stream/log/sample_event.json index 02d622e3810e..894728309a32 100644 --- a/packages/cisco_ise/data_stream/log/sample_event.json +++ b/packages/cisco_ise/data_stream/log/sample_event.json @@ -1,166 +1,164 @@ { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "4fb324f6-0ab6-4de4-a7df-697bf22a882a", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" - }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-09-29T09:49:22Z", + "ingested": "2023-10-03T09:31:56Z", "kind": "event", - "original": "<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { - "device_id": 141, - "inode": 18853370, + "device_id": 2080, + "inode": 88860, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -168,16 +166,16 @@ } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -186,6 +184,6 @@ "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } \ No newline at end of file diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 8bbc2ba4b04a..568b4a8a20ff 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -35,168 +35,166 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2020-04-27T11:11:47.028-08:00", + "@timestamp": "2020-02-21T19:13:08.328Z", "agent": { - "ephemeral_id": "4fb324f6-0ab6-4de4-a7df-697bf22a882a", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "1c70d737-7545-456d-8fb9-7033dca67ed3", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "cisco_ise": { "log": { "acct": { - "authentic": "RADIUS", - "session": { - "id": "00000000/d4:ca:6d:14:87:3b/20879" - }, - "status": { - "type": "Start" + "request": { + "flags": "Stop" } }, "acs": { "session": { - "id": "hijk.xyz.com/176956368/1092777" - } - }, - "airespace": { - "wlan": { - "id": 1 - } - }, - "allowed_protocol": { - "matched": { - "rule": "Default" + "id": "ldnnacpsn1/359344348/952729" } }, - "called_station": { - "id": "00-24-97-69-7a-c0" - }, - "calling_station": { - "id": "d4-ca-6d-14-87-3b" + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" }, "category": { - "name": "CISE_RADIUS_Accounting" + "name": "CISE_TACACS_Accounting" }, - "class": "CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772", + "cmdset": "[ CmdAV=show mac-address-table ]", "config_version": { - "id": 33 + "id": 1829 }, "cpm": { "session": { - "id": "0a222bc0000000d123e111f0" + "id": "81.2.69.144Accounting306034364" } }, - "event": { - "timestamp": "2014-01-10T07:59:55.000Z" - }, - "framed": { - "ip": "81.2.69.145" + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] }, - "location": "Location#All Locations#SJC#WNBU", + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], "message": { - "code": "3000", - "description": "Radius-Accounting: RADIUS Accounting start request", - "id": "0000070618" + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" }, - "nas": { - "identifier": "Acme_fe:56:00", - "ip": "81.2.69.145", - "port": { - "number": 13, - "type": "Wireless - IEEE 802.11" - } + "model": { + "name": "Unknown" }, "network": { "device": { "groups": [ - "Location#All Locations#SJC#WNBU", - "Device Type#All Device Types#Wireless#WLC" + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" ], - "name": "WNBU-WLC1" + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] } }, + "port": "tty10", + "privilege": { + "level": 15 + }, "request": { - "latency": 6 + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" }, "segment": { "number": 0, - "total": 1 + "total": 4 }, "selected": { "access": { - "service": "Default Network Access" + "service": "Device Admin - TACACS" } }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, "step": [ - "11004", - "11017", + "13006", "15049", "15008", "15048", - "15048", - "15048", - "15004", - "15006", - "11005" + "13035" ], - "tunnel": { - "medium": { - "type": "(tag=0) 802" - }, - "private": { - "group_id": "(tag=0) 70" - }, - "type": "(tag=0) VLAN" - } + "type": "Accounting" } }, "client": { - "ip": "81.2.69.145" + "ip": "81.2.69.144" }, "data_stream": { "dataset": "cisco_ise.log", "namespace": "ep", "type": "logs" }, + "destination": { + "ip": "81.2.69.144" + }, "ecs": { "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "901f4c48-583a-4848-aa7b-89dc8e9c4b76", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { - "action": "radius-accounting", + "action": "tacacs-accounting", "agent_id_status": "verified", "category": [ "configuration" ], "dataset": "cisco_ise.log", - "ingested": "2023-09-29T09:49:22Z", + "ingested": "2023-10-03T09:31:56Z", "kind": "event", - "original": "<182>Apr 27 11:11:47 hijk.xyz.com CISE_RADIUS_Accounting 0000070618 1 0 2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", - "sequence": 91827141, - "timezone": "-08:00", + "original": "<182>Feb 21 19:13:08 cisco-ise-host CISE_TACACS_Accounting 0000000001 4 0 2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "sequence": 18415781, + "timezone": "+00:00", "type": [ "info" ] }, "host": { - "hostname": "hijk.xyz.com" + "hostname": "cisco-ise-host" }, "input": { "type": "filestream" }, "log": { "file": { - "device_id": 141, - "inode": 18853370, + "device_id": 2080, + "inode": 88860, "path": "/tmp/service_logs/log.log" }, "level": "notice", - "offset": 44899, + "offset": 71596, "syslog": { "priority": 182, "severity": { @@ -204,16 +202,16 @@ An example event for `log` looks as following: } } }, - "message": "2020-04-27 11:11:47.028075 -08:00 0091827141 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=33, Device IP Address=81.2.69.145, RequestLatency=6, NetworkDeviceName=WNBU-WLC1, User-Name=nisehorrrrn, NAS-IP-Address=81.2.69.145, NAS-Port=13, Framed-IP-Address=81.2.69.145, Class=CACS:0a2025060001794f52cfa877:hijk.xyz.com/176956368/1092772, Called-Station-ID=00-24-97-69-7a-c0, Calling-Station-ID=d4-ca-6d-14-87-3b, NAS-Identifier=Acme_fe:56:00, Acct-Status-Type=Start, Acct-Session-Id=00000000/d4:ca:6d:14:87:3b/20879, Acct-Authentic=RADIUS, Event-Timestamp=1389340795, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, Airespace-Wlan-Id=1, AcsSessionID=hijk.xyz.com/176956368/1092777, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a222bc0000000d123e111f0, AllowedProtocolMatchedRule=Default, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC", + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", "related": { "hosts": [ - "hijk.xyz.com" + "cisco-ise-host" ], "ip": [ - "81.2.69.145" + "81.2.69.144" ], "user": [ - "nisehorrrrn" + "psxvne" ] }, "tags": [ @@ -222,7 +220,7 @@ An example event for `log` looks as following: "cisco_ise-log" ], "user": { - "name": "nisehorrrrn" + "name": "psxvne" } } ``` diff --git a/packages/cisco_nexus/data_stream/log/sample_event.json b/packages/cisco_nexus/data_stream/log/sample_event.json index df07e6a5aeda..78646bccab16 100644 --- a/packages/cisco_nexus/data_stream/log/sample_event.json +++ b/packages/cisco_nexus/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "eb61ca35-ffda-44d8-8daf-6412d75b3f1f", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "cisco_nexus": { "log": { @@ -29,9 +29,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -40,7 +40,7 @@ ], "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-09-29T09:33:45Z", + "ingested": "2023-10-03T09:37:59Z", "kind": "event", "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "severity": 3, @@ -54,7 +54,7 @@ "log": { "level": "error", "source": { - "address": "192.168.192.4:38964" + "address": "192.168.0.5:48836" }, "syslog": { "facility": { diff --git a/packages/cisco_nexus/docs/README.md b/packages/cisco_nexus/docs/README.md index b9e2be3c3654..08a5657452be 100644 --- a/packages/cisco_nexus/docs/README.md +++ b/packages/cisco_nexus/docs/README.md @@ -46,11 +46,11 @@ An example event for `log` looks as following: { "@timestamp": "2023-04-26T09:08:48.000Z", "agent": { - "ephemeral_id": "eb61ca35-ffda-44d8-8daf-6412d75b3f1f", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "cisco_nexus": { "log": { @@ -74,9 +74,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "45b4f828-da65-463c-980e-09ba9a67922b", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -85,7 +85,7 @@ An example event for `log` looks as following: ], "code": "NF_PARITY_ERROR", "dataset": "cisco_nexus.log", - "ingested": "2023-09-29T09:33:45Z", + "ingested": "2023-10-03T09:37:59Z", "kind": "event", "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", "severity": 3, @@ -99,7 +99,7 @@ An example event for `log` looks as following: "log": { "level": "error", "source": { - "address": "192.168.192.4:38964" + "address": "192.168.0.5:48836" }, "syslog": { "facility": { diff --git a/packages/f5_bigip/data_stream/log/sample_event.json b/packages/f5_bigip/data_stream/log/sample_event.json index 3a1350d9dfda..2f1f444470a8 100644 --- a/packages/f5_bigip/data_stream/log/sample_event.json +++ b/packages/f5_bigip/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "7424b1c1-85c4-4e8c-8f5f-ec6f67672622", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "b2702795-ff0f-4411-b118-3905167e6def", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "client": { "ip": "81.2.69.142" @@ -23,9 +23,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -33,7 +33,7 @@ "network" ], "dataset": "f5_bigip.log", - "ingested": "2023-09-29T08:22:16Z", + "ingested": "2023-10-03T09:46:22Z", "kind": "event", "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ @@ -154,8 +154,8 @@ }, "log": { "file": { - "device_id": 141, - "inode": 18837280, + "device_id": 2080, + "inode": 89387, "path": "/tmp/service_logs/log.log" }, "level": "critical", diff --git a/packages/f5_bigip/docs/README.md b/packages/f5_bigip/docs/README.md index 068470027508..280fb916c5c2 100644 --- a/packages/f5_bigip/docs/README.md +++ b/packages/f5_bigip/docs/README.md @@ -161,11 +161,11 @@ An example event for `log` looks as following: { "@timestamp": "2018-11-19T22:34:40.000Z", "agent": { - "ephemeral_id": "7424b1c1-85c4-4e8c-8f5f-ec6f67672622", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "b2702795-ff0f-4411-b118-3905167e6def", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "client": { "ip": "81.2.69.142" @@ -183,9 +183,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "28857421-72df-47d1-a881-abece3f8bd81", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -193,7 +193,7 @@ An example event for `log` looks as following: "network" ], "dataset": "f5_bigip.log", - "ingested": "2023-09-29T08:22:16Z", + "ingested": "2023-10-03T09:46:22Z", "kind": "event", "original": "{\"hostname\":\"hostname\",\"management_ip_address\":\"81.2.69.142\",\"management_ip_address_2\":\"81.2.69.144\",\"http_class_name\":\"/Common/abc/test\",\"web_application_name\":\"/Common/abc\",\"policy_name\":\"/Common/abc\",\"policy_apply_date\":\"2018-11-19 22:17:57\",\"violations\":\"Evasion technique detected\",\"support_id\":\"123456789\",\"request_status\":\"blocked\",\"response_code\":\"0\",\"ip_client\":\"81.2.69.142\",\"route_domain\":\"example.com\",\"method\":\"GET\",\"protocol\":\"HTTP\",\"query_string\":\"name=abc\",\"x_forwarded_for_header_value\":\"81.2.69.144\",\"sig_ids\":\"abc12bcd\",\"sig_names\":\"Sig_Name\",\"date_time\":\"2018-11-19 22:34:40\",\"severity\":\"Critical\",\"attack_type\":\"Detection Evasion\",\"geo_location\":\"US\",\"ip_address_intelligence\":\"host1\",\"username\":\"test User\",\"session_id\":\"abc123abcd\",\"src_port\":\"49804\",\"dest_port\":\"80\",\"dest_ip\":\"81.2.69.142\",\"sub_violations\":\"Evasion technique detected:Directory traversals\",\"virus_name\":\"test Virus\",\"violation_rating\":\"3\",\"websocket_direction\":\"test\",\"websocket_message_type\":\"test\",\"device_id\":\"12bdca32\",\"staged_sig_ids\":\"abc23121bc\",\"staged_sig_names\":\"test_name\",\"threat_campaign_names\":\"threat\",\"staged_threat_campaign_names\":\"test\",\"blocking_exception_reason\":\"test\",\"captcha_result\":\"not_received\",\"uri\":\"/directory/file\",\"fragment\":\"test_Fragment\",\"request\":\"GET /admin/.\",\"tenant\":\"Common\",\"application\":\"app.app\",\"telemetryEventCategory\":\"ASM\"}", "type": [ @@ -314,8 +314,8 @@ An example event for `log` looks as following: }, "log": { "file": { - "device_id": 141, - "inode": 18837280, + "device_id": 2080, + "inode": 89387, "path": "/tmp/service_logs/log.log" }, "level": "critical", diff --git a/packages/fortinet_fortimail/data_stream/log/sample_event.json b/packages/fortinet_fortimail/data_stream/log/sample_event.json index 21b60eece1ba..595a57857721 100644 --- a/packages/fortinet_fortimail/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimail/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "72562740-51f7-47c3-9398-83330775b2e3", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "6e27a1ae-39ab-4632-8e9b-d6d0b7a1e56b", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -19,9 +19,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "email": { "direction": "unknown", @@ -42,7 +42,7 @@ "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-09-29T11:24:14Z", + "ingested": "2023-10-03T09:51:39Z", "kind": "event", "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" @@ -80,7 +80,7 @@ "log": { "level": "information", "source": { - "address": "192.168.192.4:56080" + "address": "192.168.144.4:54368" }, "syslog": { "facility": { diff --git a/packages/fortinet_fortimail/docs/README.md b/packages/fortinet_fortimail/docs/README.md index 9a843e9d32b7..0d279064a3c9 100644 --- a/packages/fortinet_fortimail/docs/README.md +++ b/packages/fortinet_fortimail/docs/README.md @@ -56,11 +56,11 @@ An example event for `log` looks as following: { "@timestamp": "2013-02-25T07:01:34.000Z", "agent": { - "ephemeral_id": "72562740-51f7-47c3-9398-83330775b2e3", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "6e27a1ae-39ab-4632-8e9b-d6d0b7a1e56b", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimail.log", @@ -74,9 +74,9 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "email": { "direction": "unknown", @@ -97,7 +97,7 @@ An example event for `log` looks as following: "agent_id_status": "verified", "code": "0200025843", "dataset": "fortinet_fortimail.log", - "ingested": "2023-09-29T11:24:14Z", + "ingested": "2023-10-03T09:51:39Z", "kind": "event", "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"", "outcome": "failure" @@ -135,7 +135,7 @@ An example event for `log` looks as following: "log": { "level": "information", "source": { - "address": "192.168.192.4:56080" + "address": "192.168.144.4:54368" }, "syslog": { "facility": { diff --git a/packages/fortinet_fortimanager/data_stream/log/sample_event.json b/packages/fortinet_fortimanager/data_stream/log/sample_event.json index 9c6890bf1c34..5d2309eb795b 100644 --- a/packages/fortinet_fortimanager/data_stream/log/sample_event.json +++ b/packages/fortinet_fortimanager/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "571642d6-afbf-444b-a9ac-b4a282112ade", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "8937d089-d80c-4225-9177-d6286824defd", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -19,15 +19,15 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-09-29T11:36:28Z", + "ingested": "2023-10-03T09:57:15Z", "kind": "event", "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", @@ -69,7 +69,7 @@ }, "log": { "source": { - "address": "192.168.192.4:54028" + "address": "192.168.224.5:58676" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", diff --git a/packages/fortinet_fortimanager/docs/README.md b/packages/fortinet_fortimanager/docs/README.md index 9b1b315cbe64..6ccfd10e99d9 100644 --- a/packages/fortinet_fortimanager/docs/README.md +++ b/packages/fortinet_fortimanager/docs/README.md @@ -50,11 +50,11 @@ An example event for `log` looks as following: { "@timestamp": "2023-02-19T22:20:11.000Z", "agent": { - "ephemeral_id": "571642d6-afbf-444b-a9ac-b4a282112ade", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "8937d089-d80c-4225-9177-d6286824defd", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "data_stream": { "dataset": "fortinet_fortimanager.log", @@ -68,15 +68,15 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "1c091add-3dae-4323-a5e8-648158c83b7b", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "action": "roll", "agent_id_status": "verified", "dataset": "fortinet_fortimanager.log", - "ingested": "2023-09-29T11:36:28Z", + "ingested": "2023-10-03T09:57:15Z", "kind": "event", "original": "<134>date=2023-02-20 time=03:20:11 tz=\"+0500\" devname=Crest-Elastic-FMG-VM64 device_id=FMGVMSTM23000100 log_id=0031040026 type=event subtype=logfile pri=information desc=\"Rolling disk log file\" user=\"system\" userfrom=\"system\" msg=\"Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.\" operation=\"Roll logfile\" performed_on=\"\" changes=\"Rolled log file.\" action=\"roll\"", "timezone": "+0500", @@ -118,7 +118,7 @@ An example event for `log` looks as following: }, "log": { "source": { - "address": "192.168.192.4:54028" + "address": "192.168.224.5:58676" } }, "message": "Rolled log file glog.1676746501.log of device SYSLOG-0A32041A [SYSLOG-0A32041A] vdom root.", diff --git a/packages/hid_bravura_monitor/data_stream/log/sample_event.json b/packages/hid_bravura_monitor/data_stream/log/sample_event.json index aba04dec8ce5..8c3de324ede8 100644 --- a/packages/hid_bravura_monitor/data_stream/log/sample_event.json +++ b/packages/hid_bravura_monitor/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-01-16T00:35:25.258Z", "agent": { - "ephemeral_id": "fa387b80-fca3-4488-ac1b-460792f3a8ea", - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "ephemeral_id": "35e38c15-1a71-4f27-be32-fa338af49c11", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.1.0" + "version": "8.10.2" }, "data_stream": { "dataset": "hid_bravura_monitor.log", @@ -16,14 +16,14 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "snapshot": false, - "version": "8.1.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "hid_bravura_monitor.log", - "ingested": "2022-11-22T08:13:24Z", + "ingested": "2023-10-03T10:00:58Z", "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", "timezone": "UTC" }, @@ -35,23 +35,24 @@ }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.29.0.7" + "172.23.0.7" ], "mac": [ - "02:42:ac:1d:00:07" + "02-42-AC-17-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -59,11 +60,13 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90160, "path": "/tmp/service_logs/hid_bravura_monitor.log" }, "level": "Error", "logger": "pamlws.exe", - "offset": 218 + "offset": 104 }, "message": "LWS [HID-TEST] foundcomputer record not found", "process": { diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index 3f11458fdae9..88163112ee19 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -155,11 +155,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-01-16T00:35:25.258Z", "agent": { - "ephemeral_id": "fa387b80-fca3-4488-ac1b-460792f3a8ea", - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "ephemeral_id": "35e38c15-1a71-4f27-be32-fa338af49c11", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.1.0" + "version": "8.10.2" }, "data_stream": { "dataset": "hid_bravura_monitor.log", @@ -170,14 +170,14 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "02ab444e-ca97-437b-85dc-d580f055047c", + "id": "891454b6-66ae-48e0-a2df-0f093ea30e4c", "snapshot": false, - "version": "8.1.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "hid_bravura_monitor.log", - "ingested": "2022-11-22T08:13:24Z", + "ingested": "2023-10-03T10:00:58Z", "original": "\u00182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found", "timezone": "UTC" }, @@ -189,23 +189,24 @@ An example event for `log` looks as following: }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.29.0.7" + "172.23.0.7" ], "mac": [ - "02:42:ac:1d:00:07" + "02-42-AC-17-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -213,11 +214,13 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90160, "path": "/tmp/service_logs/hid_bravura_monitor.log" }, "level": "Error", "logger": "pamlws.exe", - "offset": 218 + "offset": 104 }, "message": "LWS [HID-TEST] foundcomputer record not found", "process": { diff --git a/packages/hid_bravura_monitor/validation.yml b/packages/hid_bravura_monitor/validation.yml index 2527f20c3541..2b0dbafa2396 100644 --- a/packages/hid_bravura_monitor/validation.yml +++ b/packages/hid_bravura_monitor/validation.yml @@ -1,3 +1,3 @@ errors: exclude_checks: - - SVR00002 # Mandatory filters in dashboards. + - SVR00002 # Mandatory filters in dashboards. diff --git a/packages/juniper_srx/data_stream/log/sample_event.json b/packages/juniper_srx/data_stream/log/sample_event.json index e93968f721d6..d147fa3292cf 100644 --- a/packages/juniper_srx/data_stream/log/sample_event.json +++ b/packages/juniper_srx/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2016-02-18T01:32:50.391Z", "agent": { - "ephemeral_id": "20ac282b-bb1c-455a-a03a-9aef5ea91cc2", - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "ephemeral_id": "54aa3cbe-60b4-41ae-9a50-c2f871846983", + "id": "3bf92588-2ea8-4747-8efa-294ffad051db", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.10.2" }, "client": { "ip": "192.168.1.100", @@ -36,9 +36,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "1ca7ec34-90b0-4efa-97fa-ed066e3af485", + "id": "3bf92588-2ea8-4747-8efa-294ffad051db", "snapshot": false, - "version": "8.10.1" + "version": "8.10.2" }, "event": { "action": "web_filter", @@ -48,7 +48,7 @@ "malware" ], "dataset": "juniper_srx.log", - "ingested": "2023-09-29T11:56:10Z", + "ingested": "2023-10-03T10:08:52Z", "kind": "alert", "outcome": "success", "severity": 12, @@ -74,7 +74,7 @@ "log": { "level": "warning", "source": { - "address": "192.168.192.4:53704" + "address": "172.25.0.6:36430" } }, "observer": { diff --git a/packages/keycloak/data_stream/log/sample_event.json b/packages/keycloak/data_stream/log/sample_event.json index 7c4be680b8a1..02c77527881f 100644 --- a/packages/keycloak/data_stream/log/sample_event.json +++ b/packages/keycloak/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2021-10-22T21:01:42.667+05:00", + "@timestamp": "2021-10-22T21:01:42.667-05:00", "agent": { - "ephemeral_id": "5861dcd8-02a1-48fe-943d-45eb7fd83e5e", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.10.2" }, "data_stream": { "dataset": "keycloak.log", @@ -13,36 +13,36 @@ "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "snapshot": false, - "version": "8.8.2" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "keycloak.log", - "ingested": "2023-07-24T13:27:46Z", + "ingested": "2023-10-03T10:29:46Z", "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "+05:00" + "timezone": "-05:00" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "f61391496aaa43bb94736676494450c5", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.22.0.10" + "172.30.0.7" ], "mac": [ - "02-42-AC-16-00-0A" + "02-42-AC-1E-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -54,6 +54,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90612, "path": "/tmp/service_logs/test-log.log" }, "level": "INFO", diff --git a/packages/keycloak/docs/README.md b/packages/keycloak/docs/README.md index 84f35f428e5f..96c1afc10122 100644 --- a/packages/keycloak/docs/README.md +++ b/packages/keycloak/docs/README.md @@ -138,13 +138,13 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2021-10-22T21:01:42.667+05:00", + "@timestamp": "2021-10-22T21:01:42.667-05:00", "agent": { - "ephemeral_id": "5861dcd8-02a1-48fe-943d-45eb7fd83e5e", - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "ephemeral_id": "bb6d890f-5c05-4247-b410-8f3b914e5293", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.10.2" }, "data_stream": { "dataset": "keycloak.log", @@ -152,36 +152,36 @@ An example event for `log` looks as following: "type": "logs" }, "ecs": { - "version": "8.9.0" + "version": "8.10.0" }, "elastic_agent": { - "id": "e4c29d91-bbb7-42b8-80fd-85ddb56d2300", + "id": "d053789b-7b04-4a8c-b06c-ca79014bb61a", "snapshot": false, - "version": "8.8.2" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", "dataset": "keycloak.log", - "ingested": "2023-07-24T13:27:46Z", + "ingested": "2023-10-03T10:29:46Z", "original": "2021-10-22 21:01:42,667 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 64) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication", - "timezone": "+05:00" + "timezone": "-05:00" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "f61391496aaa43bb94736676494450c5", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "172.22.0.10" + "172.30.0.7" ], "mac": [ - "02-42-AC-16-00-0A" + "02-42-AC-1E-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -193,6 +193,8 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90612, "path": "/tmp/service_logs/test-log.log" }, "level": "INFO", diff --git a/packages/mysql_enterprise/data_stream/audit/sample_event.json b/packages/mysql_enterprise/data_stream/audit/sample_event.json index a0e9f5a5581d..c30dfd67e917 100644 --- a/packages/mysql_enterprise/data_stream/audit/sample_event.json +++ b/packages/mysql_enterprise/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-10-19T19:21:33.000Z", "agent": { - "ephemeral_id": "40541c95-7cce-4bef-be7b-3eb82f363f0f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "9b24d1b7-d491-4e8f-b484-2f0b07a4344c", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.10.2" }, "data_stream": { "dataset": "mysql_enterprise.audit", @@ -16,9 +16,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "snapshot": false, - "version": "8.9.0" + "version": "8.10.2" }, "event": { "action": "mysql-startup", @@ -27,7 +27,7 @@ "database" ], "dataset": "mysql_enterprise.audit", - "ingested": "2023-07-31T15:48:08Z", + "ingested": "2023-10-03T10:32:19Z", "kind": "event", "outcome": "unknown", "timezone": "+00:00" @@ -36,19 +36,19 @@ "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "61993a3120a949b68ffe69a69ae82866", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "192.168.176.7" + "192.168.16.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-10-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", "full": "x86_64-Linux", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -60,6 +60,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 90785, "path": "/tmp/service_logs/mysql_audit.log" }, "offset": 0 diff --git a/packages/mysql_enterprise/docs/README.md b/packages/mysql_enterprise/docs/README.md index 328180d824a8..b4bd0c6468ab 100644 --- a/packages/mysql_enterprise/docs/README.md +++ b/packages/mysql_enterprise/docs/README.md @@ -130,11 +130,11 @@ An example event for `audit` looks as following: { "@timestamp": "2020-10-19T19:21:33.000Z", "agent": { - "ephemeral_id": "40541c95-7cce-4bef-be7b-3eb82f363f0f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "9b24d1b7-d491-4e8f-b484-2f0b07a4344c", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.10.2" }, "data_stream": { "dataset": "mysql_enterprise.audit", @@ -145,9 +145,9 @@ An example event for `audit` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "2c39d956-ec71-4ff1-ba44-ee2a67272f8f", "snapshot": false, - "version": "8.9.0" + "version": "8.10.2" }, "event": { "action": "mysql-startup", @@ -156,7 +156,7 @@ An example event for `audit` looks as following: "database" ], "dataset": "mysql_enterprise.audit", - "ingested": "2023-07-31T15:48:08Z", + "ingested": "2023-10-03T10:32:19Z", "kind": "event", "outcome": "unknown", "timezone": "+00:00" @@ -165,19 +165,19 @@ An example event for `audit` looks as following: "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "61993a3120a949b68ffe69a69ae82866", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ - "192.168.176.7" + "192.168.16.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-10-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", "full": "x86_64-Linux", - "kernel": "5.10.47-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -189,6 +189,8 @@ An example event for `audit` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 90785, "path": "/tmp/service_logs/mysql_audit.log" }, "offset": 0 diff --git a/packages/sysmon_linux/data_stream/log/sample_event.json b/packages/sysmon_linux/data_stream/log/sample_event.json index 9f128e052cf1..d8f6b77da366 100644 --- a/packages/sysmon_linux/data_stream/log/sample_event.json +++ b/packages/sysmon_linux/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-10-24T17:05:31.000Z", + "@timestamp": "2023-10-24T17:05:31.000Z", "agent": { - "ephemeral_id": "0ccb5087-29e5-4a64-a028-e51e06c2d944", - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "ephemeral_id": "9a76eca2-a433-4b6f-a30b-bac6e6d09995", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.5.0" + "version": "8.10.2" }, "data_stream": { "dataset": "sysmon_linux.log", @@ -16,23 +16,23 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "snapshot": false, - "version": "8.5.0" + "version": "8.10.2" }, "event": { "action": "log", "agent_id_status": "verified", "dataset": "sysmon_linux.log", - "ingested": "2022-12-08T10:33:50Z", + "ingested": "2023-10-03T10:35:51Z", "kind": "event", "timezone": "+00:00" }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ "192.168.48.7" ], @@ -43,11 +43,11 @@ "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -55,6 +55,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 91045, "path": "/tmp/service_logs/sysmon.log" }, "offset": 0 diff --git a/packages/sysmon_linux/docs/README.md b/packages/sysmon_linux/docs/README.md index 5d489a5b6db2..26746072bcc3 100644 --- a/packages/sysmon_linux/docs/README.md +++ b/packages/sysmon_linux/docs/README.md @@ -25,13 +25,13 @@ An example event for `log` looks as following: ```json { - "@timestamp": "2022-10-24T17:05:31.000Z", + "@timestamp": "2023-10-24T17:05:31.000Z", "agent": { - "ephemeral_id": "0ccb5087-29e5-4a64-a028-e51e06c2d944", - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "ephemeral_id": "9a76eca2-a433-4b6f-a30b-bac6e6d09995", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.5.0" + "version": "8.10.2" }, "data_stream": { "dataset": "sysmon_linux.log", @@ -42,23 +42,23 @@ An example event for `log` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "af423af4-492e-4074-bae6-f31a40d3fd91", + "id": "9f4e1395-4b95-476b-8057-130127354b7a", "snapshot": false, - "version": "8.5.0" + "version": "8.10.2" }, "event": { "action": "log", "agent_id_status": "verified", "dataset": "sysmon_linux.log", - "ingested": "2022-12-08T10:33:50Z", + "ingested": "2023-10-03T10:35:51Z", "kind": "event", "timezone": "+00:00" }, "host": { "architecture": "x86_64", - "containerized": false, + "containerized": true, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "efe661d97f0c4d9883075c393da6b0d8", "ip": [ "192.168.48.7" ], @@ -69,11 +69,11 @@ An example event for `log` looks as following: "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.104-linuxkit", + "kernel": "5.15.90.1-microsoft-standard-WSL2", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "input": { @@ -81,6 +81,8 @@ An example event for `log` looks as following: }, "log": { "file": { + "device_id": 2080, + "inode": 91045, "path": "/tmp/service_logs/sysmon.log" }, "offset": 0 diff --git a/packages/sysmon_linux/validation.yml b/packages/sysmon_linux/validation.yml index 6cb775c44b6a..da88d107c6d7 100644 --- a/packages/sysmon_linux/validation.yml +++ b/packages/sysmon_linux/validation.yml @@ -1,3 +1,3 @@ errors: exclude_checks: - - SVR00001 # Saved query, but no filter. + - SVR00001 # Saved query, but no filter. diff --git a/packages/trendmicro/data_stream/deep_security/sample_event.json b/packages/trendmicro/data_stream/deep_security/sample_event.json index dc5b784a4dcb..a2c0f6e24778 100644 --- a/packages/trendmicro/data_stream/deep_security/sample_event.json +++ b/packages/trendmicro/data_stream/deep_security/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-09-21T07:21:11.000Z", "agent": { - "ephemeral_id": "a2b7adf0-c789-464f-bfb2-e7b087d9959c", - "id": "b66dfb26-fbfb-425e-b205-5c4651dbee3a", + "ephemeral_id": "a938b7bf-cad0-499e-92cf-e1620b812710", + "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.6.0" + "version": "8.10.2" }, "data_stream": { "dataset": "trendmicro.deep_security", @@ -16,9 +16,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "b66dfb26-fbfb-425e-b205-5c4651dbee3a", + "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa", "snapshot": false, - "version": "8.6.0" + "version": "8.10.2" }, "event": { "agent_id_status": "verified", @@ -27,7 +27,7 @@ ], "code": "5000000", "dataset": "trendmicro.deep_security", - "ingested": "2023-02-02T13:51:33Z", + "ingested": "2023-10-03T10:38:39Z", "severity": 5, "type": [ "connection", @@ -46,6 +46,8 @@ }, "log": { "file": { + "device_id": 2080, + "inode": 91232, "path": "/tmp/service_logs/trendmicro.log" }, "offset": 20358,