From bf1f97b177170e30df085854addf0dadfeb577e5 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 8 Dec 2021 11:58:34 +1030 Subject: [PATCH 1/5] x-pack/filebeat/module/sophos/xg: fix kv field separation and add support for timestamped log lines --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 10 + x-pack/filebeat/module/sophos/fields.go | 2 +- .../module/sophos/xg/_meta/fields.yml | 5 + .../module/sophos/xg/ingest/pipeline.yml | 8 +- .../module/sophos/xg/test/firewall.log | 3 +- .../sophos/xg/test/firewall.log-expected.json | 200 ++++++++++++++++++ 7 files changed, 225 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 02d272b963c..1130812670d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -150,6 +150,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix handling of escaped newlines in the `decode_cef` processor. {issue}16995[16995] {pull}29268[29268] - Fix `panw` module ingest errors for GLOBALPROTECT logs {pull}29154[29154] - Fix handling of IPv6 addresses in netflow flow events. {issue}19210[19210] {pull}29383[29383] +- Fix `sophos` KV splitting and syslog header handling {issue}24237[24237] {pull}29331[29331] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0dd3105d399..73d50ea649d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -143278,6 +143278,16 @@ type: keyword The related XSS caught by the WAF +type: keyword + +-- + +*`sophos.xg.ether_type`*:: ++ +-- +The ethernet frame type + + type: keyword -- diff --git a/x-pack/filebeat/module/sophos/fields.go b/x-pack/filebeat/module/sophos/fields.go index aa22bfaf89b..b784d8fbff3 100644 --- a/x-pack/filebeat/module/sophos/fields.go +++ b/x-pack/filebeat/module/sophos/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSophos returns asset data. // This is the base64 encoded zlib format compressed contents of module/sophos. func AssetSophos() string { - return "eJzsvd1yI7mVJ37vp8C/J+LfVY5qVVd1u2dd6/GGLKnd2ilVy5Kq27HhiAwQeUjCQgJZAJIU68rvsLczL+cn2cBHJvMDSVIkQKlmdybC0SWSBz8cAAcH5/MbdA+rd0iJci7UbxDSVDN4h75yf/jqNwjloIikpaaCv0N//A1CyH8bXYm8YvAbhKYUWK7e2c/M/32DOC7gHeKgl0Len1CuQU4xgRPz9+ZrCIkFyKWkGt4hLav2J3pVwjuDbSlk3vp7AE39fx9wAUhMkZ5DPTJqRkbLOUiwn2mJp1NK0BwrNAHgSEwUyAXkJ4MJSIUfgXYmRVW2/tpny5quhcUx6+AfJz82QGiI9SCFmnX+vnmEcZYP2H43p8p8D1GFKgU50gIRXOrKM1jiJSpAKTwz/8YaEVGAMpMW5vMeaYTeixk6ByJykOGJOFq0D2rf6dR0YQFcZ2ZqkQl7wIm571muLM+J4Bq4VuYAUK405rqGoYIYNS32AZhj3f9giI46TGYIhDVazimZI4wUKEUFR3OqFcLoA+hfqeagVL36J4Ot0UxWzUXFcsRhARJNoNl3JZYK0BVobKBhNJWiaA314r2YqdfXmNyDVi8H5M+pBKLZ6hXSHjdGN+CkgdvhvAXzJMhIBgtge3CSCd4/nx1OnkMpgWDtkeQwpRxyJDizsDSeMEAFLsOoCjXLoh2YDWt85c/55fkbtMCs8iee5sA1nVK/O+EBE42YmLn1koOFsLOjhrzfLfZ7ZjlKLDUlFcPS/t4v7MnozhiQ3munhHbGgPL4ThldksVx1+Tt/1uTzWtiRk2zIIcdXzH5e2Yn0l+WZ4NugfcResmhSVCikiTR3Xs421Kd/8OQKY01FMD1cwSHq5zqjDDcO8PPBB5wLVfPEdjc6FTPERjl+wFLqzHVkuP57rQc8D7SIy3bpgB5zDfUiF4Teme2vli/+w2agR4yUBIOe0X09JAB9S2viHEu9owjR+Iib5lNguxz7BpMMxL7UICDj2YfOYZaXXH6qYK1Gi2b+fs/rbqP2jPBibkcsBbP/WU7Im4WNK04bHP3zAxDp5Tg9nl+L2boYgFco1srnFHFc5DmCSLBC6rB1Kf0AXKkQBsinR93x1DjD5Z6EQa0D36wNIswIP2oRRlaAuPbl/bbmIN5PYInj+PBXKhE+mp7X/4klG6LSNbfkQp4Tvms/lCFtk3LhvTl8Jfus8EGPxpl7OX14nuE81waWTl23PvMHcxeiy+VuYsfUrP3h/972Wu4lV429OWCM6S1rWU5wmhGF8AbI9mXqwgYFu1nv0j7Asmfo/L3ZXg0Rg0aolxlEj4lWOu289AusJ33ZGW5fOGGRtf2IL3y1myN0d2qBETwUIJMAAHVc5Do4yXXb35AQqIfmcD6u7dogpXdRbWDbEpnlbSq35Z576PufsHztm7QdI/PCPYF8+uZSGVm2/Q6rkf+4g0MQi6xzJMpdS2J1pp2m5OX17909D2MJDDcX1KE1EppKPwl6mEbanNwO1U55pl/C0lnlGNW/6arrWzhQyr9a0NgxOX1Lz8EWODhDzhxOAsaREMux7h91ht1qDjue/vMAecgj+K7/skOhS7PD/GSOrxtZ6kls5+v9Fkb2RjJktvZcK1oXa4VLXtQzNPlTDAGRAv5JQpgw70niLkxe44qRBzrIDdIO4rqe9FXW9AGRj/DF19BJs9FVS2EssFuheBoshosGkISPlWgtCGoaFGylV8n82Uj6BFgMkeK5oBefIv0XFbo7e9+9xItsUIKgDejbODEs1Bed+CEKgVXkI4V5IvZFURUXDc2haqYOKFnjrIKUkAv8EQsoMUMyoORlbV4U1oCLkbPD/lits0TswpyWvX1tBiM+iqkOTaGBTpFVP+tevvtm98rJ9Jfl1aA1qD/NpjN38x78D1egURv0QUnuFQVc54V86R8lFwPUT/Q+RGIrQyN8t1b9G9muq/Qd9+hf0NESKMv21n4QV+h/5/p/26+SBXqMuWr4BJykcOzfevyJWQEMzbB5D6tBuzAcaHtscHavSsME4HnpaBc26eJhnCAs90cGUgpEsWnrfVBVQKhmFnEFqnSQhrNmq+c1mE+WGBGc7cxQqAQmoqK5+aGYWDBUz7zytHW4MXuiRhQjuEL9Mdhg9toZBVWTOD8udxzHg5S9DOgArSkJPDq8E/h9pftW9hd97UQNtc+1muNVkzrZTtBP4mlWZrhm5NyJKR5jGmB7gHKLUx7FjfeF8I0KQgolS1onuWpvK4XteSZAQeJtT3kueFg6124oFJXmJlHe8f2zgMmDlpQ8+y2vnLLDDcLf9Qvz5E00lpZg4plGpYz0M3XtnJCyURBT0/OCRcJt5kTMokraCj4L89r2+sNFEIDuvX7nUiwF+1kNSYozf/VjpgvwPHiR8pUyWjKyIZn/ZxXdKD2PwvdzMjchPvdnjpzB/i9Xu+6+tXir5D/Gh5GJ16mlD2Bj96Mah5H12en1173JZgb9tCiFLKv8SJ7RX5xYRDV8zB/fHRXlX2I26d7yJTafcpX65+sH+xOz7Ev8xP09nc/oKXlewGYI8xY2FZgjfpWTVrbj9ASJDiyWCMGWGkkeC9dpMvEJ1cTv2wmBs5qCret592vQuaWcTaqCcicCyZmq74jbkrlQItF6HeIzLHERDsmmkO9svit0ZyjivuYHtaxmY9m1MZO6HaO+pROhA2+S/uiKIySKXjtRpB4OSrTrGTtqZWYWI3V+Si4tzkIQipZU1Qa8xzLHHEhC8zo51B8r5BFkD+5j3LYm0WimgyupEcxaY26AfOa0SnYGQce+AqI4PmIgr1e7kzplHaWDROinIiiZKCDG2DUiIqtAq8l7YnBVr6Z1E+0kW/N2MHtPLaVuztzdPsVgut5pGVa56fGinlZRznlT8T4C56nYLsh+Vnw1NUWNohFM3qtYrrw2rs+hwciKtmJPkUaHrQ/fGgBUrXSKfJNcWCB9T10s60Ax5rmOk2PCJlDnu4e9EE2/ppSzYi1jlFH2jRfbPvXh7eVFMWJpVrZpHxFgGNJhVPri4pp+o2mIBEuS1Znv6yL1RSY41koNRchZt079XvRgXJYFaL6a4XEkjvPmMZF2bcMesRmNANxePq0QmROzetG5KBO0FWltH0mtYmaU4n1SFwu1rDnIm0UYNOpwb2AY2hCdpHrAR3vJExBAiduQ2CjWud0QXOj2dj9EBZkt7Ugu+sxLzzJh5LKo81wvZ7OF/RgdiLVbOUmq4zQM/qaAWU36GbbaMRFHzXhvDLSuJFnJ4Mhm3AyUcWWQMVAkTuUYsP/2EfFapCfKqiOtpXM7na7aC0fl1ghCyIf2TcW3JvYTI2oFHQYmkCmzQqd4PadFSmwllkCqGWWQnsuY4qiLtG30akm0JVat8jTPCF7z8fgHTO4Lh915+wrNrfJtX2cBesLolcNIbYhCJOBEh9DsVYVS+12GnlFiUoTUcBrh6F5vNiobDEd7BDMPQs6D8iRDQILkFSnTB3ZMLF6dJ8E2PLsbDL5pE1eHNQOdLd0k+liqFm/UwmETun64RPWbp0zZ6ymiteV00czBRagMTHSfJ0wUZuocu9kCeL2z+ZjLcIv3Vd6+yUoJPr51ofGUlUHBPTtanb8eoXGsiRVKRSNKDh22lv2Oc1zV2HKhvLXZ3e0Ck/FdJaudNEjRRGvCpCUPFYWBed2hCy2DRNrZ7I1J8OJJXe+B1NbAM+F9AGzG2cmJn9/guo1tWtXTP4OJPyONsDS54IP2G0k6GZgTtKnrFX31fBA+qx/L2a8lWuOm9hiLjTCaO4rXoQDaJmYZXWgypMI9XojPlqoH6NmSkf2/dmGW9my1FZ8hBV/wShZpT49G+TCtQXgq2dzthqRyxVLGTcdZuBNxcACC4tTwTU8pNZYG0CX3Nnr1vVQcZ4r8z/2UsWsBhQqALPlciZzzGeQcVimlgVjjktYtlz9VgnRWtJJpaElIYYx+spBN9p6+/oLiw5V4mjCruEco8nKVm5imn0I9uOLHJi2/hZ43NoMMMOwuuCgWsd8yQXIE3QLblEqBfIEz8CW8vaR7lMhawwD2jUZp7cT+3vkft+qWyEkmkixNJ/Vf/W6pnt2jdaTvsyvsdSxzXQN4dgWFX+mxCA79FhnSrC8URtTHSlRgncoprqLTznCDKRuoovkelD/N+fe8uKjVQTABiEFFOYcccG/kVCCfclsin6wz4ZjXjmkktIcmOa9YlfS6nGvqfOw1e6fwcyWVM+9suxkPTq3A05stglHgn8zE+a/N9wEVknJAopjwnnjljPwtQVgQIopMtJBU1An6HYtU/qNDdqZVWkQn7l0vkqZR4xLGXXBNrkXv57xGBFWKV1vSP+PwTLZn1BlVtLnRHv7hlF87afjKtDRtR93wsIveleWKZ1S9vW2h5dBeW5RIKyUINTaS81qBN+TdsHe03t4hzAq5ytFCWYop+r+FSql7YnyCoEmX4cVZSzxPrmXj7zoXZ6NxAVokAqVWNkqXsoWcnC1CIgoCiPFRMdpP0ytAU02qnvuPngqja+1hgkuJie+iSjKangGEywbRkvKc7H08bREcAKlftVEUowyYzDNacXYCn2qMHPGz1wUmHIvNXhrICZGrq621TOWurRh6kYlfE/5PeQ+F6gORMfKWqf8A8V88lUD7YTmmxaODapCJBV17dZNzizRB1DD+/n2qXD9XHrLK7odlutpnM4gC9pv7JTaxOrHtGjd/t+saX8XWdOeUpb+jDdT/tGO1hxjCXlFANWeIwib2xRIilkWuE2TXSK3dshabe7fj60L0Nwwo3YBIPdqr5IDMSzGfnRz0c2xmjcn1KiFgSzDisxd5G+dY9OkGZ7VlHolwsxEmmFOlCTmV82/h5mmyMhzjqiNuas4YYCl+ZMthLeG5hMIvbVT1omd270PTvhVwzpPz/rGIqKYUN7UzW5fWD5tVD7i9lpQWaljW/ra2ogFMG7xO46DNHAkztzoribjuKXUveCSm8Yb9jkr8+U5+uAkzQtfuAG5bns+6ddgexnWq50B+ils+S3z8+W5ZalPeWvExNB60PXIuTBAN4UTt4mMLFhSFX6kLtQqZS37rlfXJ2g7dWGjHZu7x/cRd41h/VkzMLo836rJxrLPbdFkDbC3PF9rtCfozOVn+nqnzH2wWZu1AGX3G2++8ua4SaWbzE2hm8uo4gyU44xwF8pSoAWWFE/YIAvQFWWgHJUMjwgCBVwlrY/SWdC2qupGPjGSymgYdX4hNet8+/ryuq9DI18y1lkUxvKy92wouHMu5NrT4kCiS67RLZ1xbIXFyBYthUxZvPbrgfwym/S61t2Erepo/9MAaZ1lu8tyEdg4H36+Q5QTVuVgxJnvVGt+foJeXDzgomTwDl07g4gja6X3SdguYj1zR/dtWuPU+moJI6Pq3qjce+B6RCpey4z5wV8NN1Tdb3C5aklnM5DpWtiFWfZL2xfgMVjtdC5BzQXLze5xb/WRTqMd1/sRLAtD37uXyi9unI7xsinGcXkeTiPZ2TtPRFFmR467sqviY69sG1dn31PV5BsDR3Cbnzq17WZEXpGxV5pXS58oaqyNvJGWQtrKA0au1/hGusRhmS+xfJoIvWFVfSNdsb+IzCRGSiO/MEIUoytM6nrKYeXWiKCjvmME/6ZWUOVmKeTemtGbWkvAKnpssNJYV7EU58YehSl7smeHGXwiHhDNX4/fX+ZmrY6B0CD6OCh87M6CQRE+uvU9lrj73mCTnw/77u1znVEuqlg+zlYeiZpFP1NGksY0Ogwsst9HJpy6MmNnS5wyZuQeUhUhoNS0YujCjI+IyEGZLVEX+w2/LCjP4SEyAxhVej/N80DZYge2TzFZg5iAtP7NAkvKbARPwILn/O98hrBl4jfmt8GZ8QT7UExccaEn0oj96OhFE89ZglSlT7p1EmbAMq8irAPi6wpPL0eSDJ2Za3gfpw4occpXE+TlbVXu2+ZDTLlCOWhMWcDIMBGVbv1uZGqCHT02s7bY4iaOzeIYv0g1FCVLFs1zinKYYu8C8pUvax++j9Y0WvECJMMrm8ilhb9c0YvAiTQf2Fe3/zVM6yxwZ6tXmurKFmZEwYmt3wbDgk2HHteoXqyWfYfg2EgTyCoiisKcpzTb6MxRR7QV7FtKsaC5s5/VVeQKUKOBULkg+zsaH28t+5GytdZI2nF5YdXgobRBT08j6+vR08r6v4vJnnanvaf3P8XEO2DCp6uk6QrnntuAYrfyt9eX6HKgULVhJKta67NLNiOImNjVZMPOoj6kH2MP87HVYeXeiYhsIvLUGV+DjLu+0uGxIINlRD2ax6+W4FwGR8g8b5mAfeqwC6Bt/CF0RvPGlTNixCtivxoHaeARbv54Sl4z77JKeU3V3b2vP7rqObUjygZrPACp2lYEF/o1gVB6a12FaVPgxhEMIUGreN41iDTZlXiBKcNDRwZqTOHI5ldOQcqRTgvuDO1j64/nd/OPlcIXgHIO2MGUfLiBorOTEYlIi2xS5fkqun2GFlnUPKAW3UrBfoXON1qp4lOUVESsctBLsctUdYyEBKra0auu5iqucqqbzLp1XTSPKNTYbp2x4UTJ2r2weZIuSiw2BxdHe5Wf/XKBXvhciV8qZnTlCWU2gcPGgV08lEKZb75E3wwNDbzvhbnnYsk7DyEFpLLFLBZd6iOdNgk+ggmuHxZ6Vme5f/CpSe9hhskKfRx9rjE6kfgpkvL9wB0WU44KTPlU4gI2hmOUWNquvenrJHSUy2s7LPogchccvS4L2Io6C4BCW7QvGypgGJHqhdStG/cBluinitun5JXIgaEXlC9OfvsKUUFeoYn5HzD/gzlmK0XVyW/D/kVNymzK8KBzfmwdqqvhn10jO6i1dVk5uaqbX4npxkINWiRF6v468TjrMggKpNnIQUCLIq7c7SH75epXLAHduQDg3/72l6tfT28ufvtbF3O7wBLT0T25FPI+Zsry1gP2az1g28M2agTDPLYS4XN24lYpaa4DTMx1sUrwhJkKCVxRElOAtExJCRAX8a0gAf9ALKLZEtNhc+KDrQO29nlsoub4xE5RV9Uk0aHQk1xpGTvz3eZrJzOIte/SaPdonfORzki6b7LLujHYQKXxySbrvBef72JITOmooameajJD7L5TDVYjCkyzn94TFsp71xN8vOHCgPf6/81w1LXK7Dr/PckWy1s2eg9kI8gn2Ry1H3cTPiGOELTVWdnWu/SFbiLa6yg7WyfzpTW7DXbuds90XbKaHsMfZpO+ppgyw+u6mMu1lxmX5+3cNluJyzwHNcwCJQzGowrrmOvMqIh7zGefwGsbbu2zj85EUVS8b4kaoOP7FW46FN0HeNB/hrBO3WBT+2nWh2K7xTz/kwh7zdbYNNZ0H8lwMLrhwB1wqlIlJVREixI91gveol9iyYdOh+cOXfGizEQqYXz74eoa/ezsqOug1DCQT0cNJbj9y3v0qQI5Uru1YjyT0K/UmTa4oWUQXaGbOuksGNbVaOkk4kXaJipitxEwRMu9DEfbqOqAc+xgunn8Bg2YYVkkWC1DNoF5AZcRE5AbolUerStth2bcalcd0jnWfa3wULoT4GReYBkrraShuyrxoH3xwd4nTAbhVFFoZvPoe4HANG4CVUN4OrOllhKQFZO/J6Ba4uidMFzFqejbyzrdMxr7wvGV2wowqmd00DzDxDZGiZ9+YmgrHvHx3iI8mZWL7/mDnke/3wnPiJZZrqLWXW9RN5T38zztQHjBcHSJwTPgM8ojJkUOSaeIjebZNFNLqkl0+cGzKRNLhYv4sStt2lwv0lFP4HUhPKM8pTihvARZTFbRAt4HtEtyn4b4ArMUe4WWWSmFFll8l5Slvvg+sxbH+LRZsrPJxCzLUzDbEI4f/0Z4VuCHTOtYZoMuYbOjGSS4FArKE4GmPB3okqmMTVgW2y3aof1tQuLRK4O3aMeuhdimHTurt037dwlp/5CQ9r8mpP3fEtL+fRraWpQMTyCFSGmox3+e8ayomFW+J6sE92RNvLxPoJcUFaOzokyjfRstE7NZ7CAkT5mmUEoUfCLxbSM8Uy4gMcEKKknSvCYN4TSvSbVSVZmgFynhTVp1kqeqFto8PeAhgQjRQpuHWSra9lmThHjF6QPHXCggCTbh4gfDlUSXwuIHUeo54DyBWU0UZUZYAhu2IZzASWLpyslKxzeLGsoqCeWyyhL4NIikmhLMEiQQqQzPgJNVxKirNm2O2eoz5JMUuBeZLQOahLIrB5MGtQusTUJ9MisXP6SxQatsQvXvkxQaIyqL2yuuR1iK6KJaJTnmlioQGT/LTTkbf7ReWy3CoOfOzh/fOOKIW7UvCXFXTT5eBbkW7SllkOINo7JpikWk05jJ2V3CKXQDldHSBilmSUQdLRff50qXg2L+kWgrSZLQZnQKKZ4xyhqaC8hptITRLm3K0+ySQuQVA0VECm574nSWQDaJUi2xjtrzv0U9FEEehbCEGVVa4viWkDXtBBqfhDIVq2UyXitbiVwmkq8uMt9t8QTUtQRcJFAkXSpQKtjplOvlXFCVuQ6z8amvsMRJNng+kggbg/LC9bePTZcqjXn0Pse50pNKxmoWWFMF1ysoBdUqOtb4enSdkxybrO3cMI3f7HrfSgObaM5wnsc+AzSP7VatSwcluItokREpRJGkKpEhnOCZRossTXCkr3iUgs3lffTyTKWKX7KUlqqUNDJRhjXVVfToM0Y5xCuxs6aqonbUaeja5Nv4Zi0mXNXTbMpE9Ou8IZ4g5N+8eaNLHUM0gcQxb+gEUKPHJjAxS7J1+SzJAS6FjC3Aikk1S3HMCqpICrFQqCQbNkUfCA7aFleKTje6DHcFoGNH/DmqscPx+HIZ+wWSJKNMuAbQ0V+iIr5mJCSdZYF+XAfTXXKQ8e+sMnNNeaOTjdqZek3WtXhNsskSJG76njixhYEnG1salJkzJEWHi5UyH2ZkHivPf0AaHkoa3RFQgixmEnM9qLkbg/IyCeH4V6+rRPbxY68LaATCUswyrMqIDQPapCWOTVUCZin0OwnE8sFVHU1EPD6TDeW4JVxblIXMEyCOb8hUCWzDytmGE8QDKIgdCOAaHid4nCj4FH8DhAq0RqOa4Cml6CyB4FVlbCubkiTFOZAkj65IK0lCVXEjENbxWmy1aVYqelXNBeGxEyWC3WIPJeqKdMaevp7p+NvKEY3v0Wt6esamuyqjV2ut8kmSOPRKsgR3YaVAZjmNnfWepG1F7RlKwQZNlMZFbGvwIqNcaTxNoBksqNQp1PBFyROUbtJCVjymmTVUFi1QUfS00gLdVBwNhm6iRxI2y/sFM5qjMwk51egMy9xXM1S2/HsYjuuclZBLYx1CLRnbRB/Z+gZEMBRK1WniIShPx7mLomRiBYPGglv5NxVVtKLeO+4xw0NnM7L9ziTM4AEVuF9oYe2L5bOq3wwkOUhGlW3OUI/ul94WUEKqKkshNRoWHkVoOccaUY1KCdOxrXBAWO5jmlCEGO9fHQ0ERLmv7D5SF5pRnrojfwuqGa2NUyEtZqDnIE/W31dzUQ1uNIQ4LEA27Yi0QCWWCtAVaGw7gruzihsWvHgvZur1tUt7fYnOfYuvV0jPA12KbDHgG/Ctjy1sjj6A/pVqDiq8zsNNnYR5U9uyuzlFdnA3WQVYkvkJ5TSIz/bcPUJ97Z74tL0wbDDEa4Yrbnv9zirbx7Uu4h4u4N6r175hTunLcTdzaopw+/7FI499sxBZxJym3Sqv2mHRHTxoeyrGzAXH6EY9IpDWjes+2A7VnI10vLTVcxO2A7f1cxVoJOFTBUpvKNq9f7Ty42vlO5XBtuVxozqJ3bdINXGnXXPKJkwOkfWNdf5uK7Srd8GZx+z9v72/oRns8rwWCnbs8N6wr4Z4QbyP3MLmcplgBciFazdo0OBUNavkf/E0eHnTCr5BLqQrXx9kI0JYIQVg253hzf2qJOYKkyO09x1UmHZDc6v2rjcNqaTtgLYJdAmyoE7dOBbo9ZCuMQddUAYzQAwWwBBWis64W7h1v/7w1rclmZ9QftvxN+z0yZN0ejbIKk4/VdBvk4jDh6+Fd7+Kift1Qak1Gpq7A0kE52BjK9CS6vmYoEAokBnSaOwS9kovevTTwrDTypPmimJiRglmyCAYefpYFE+Lzg410qbx6XhXzlcqDK8VzrYUvajW2Bc8ZhSrbC6SvwncI655rtleKuumRkYqtlvwhOsBIHdoDFp7p/lGLIQBlienTAnzEO+ct3PrLEc/+V+coFO+av41oK7tW15xjXB+QkRRVhpkWAwnMeObiaV7nn3VXwvbY7GzIFT/rXr77Zvfm7fveWs5ao59FYTt92kW12O2q+EGr0Cif21scuq1h2HBhU997Pyf9HuerzF3dv3G9dgzeHmbbPu63zDFjHOCPvx8d2HmDhKc8cTaS3OqiIQSc7IyWqVXz1g/FgRZDr1Cd1fv0CXX3719hS4/nF/89R36eMn1D9+jF8v5CnGgeg4SkblQvlWakBKItt9688P/+P9efh3kCOh5QhnX54eVqScFDrfjUYl33yOP+a3bi5c1qPARz58X6LZs2oJ8z4JxO1/wIbw9xXT9OvmFSl1hht6ffgiC/Sw4pLNl7bcz/pfgcBLmrYH7xYhQO5HtwtMuwXO8gzeswwxrWOInaJFud/c1Os1zae20bpeH4DRXLynKff2ch/pCLs+urt2tNOoeK7A6ovejY1Rymqq/u9HltYEyYv0yPNyzE0QUHpqxx3lYa2KZ6651XAHRgovznJovY7Z22LZ6+YfvuSNuAPMktAdc+BN+3t0CAyjrWOsket2uVxpGHzzCayF1I5IHQje3Dja7AFSvtktedWTeu/lQPqsvk3paV2OM5xB6Nx7LiuvR2ZcvVkoQalROZzca6DjIyGWJ+QxOmqcTEXxKZ5WEHE1Wlibw3EYNheVMuWfpgUHS6Ii2HBx0mqDeAYuo+7dTuKIbACQUQkPmI7vjxxnFZ23OVYYzF4qfgHSpZRri0wRbYpogW5ilOA6p6p+UCZiK86y2xKVTy/sveDOPk/5obWPCE2iwF3oOkoNGd6sSXqGP9TX23hrAvkPXtQFscBP8PKap1a16jqBMjDyNa9DeLv4KYcaCykS5/qINcMPSBuYtQJo7kHItkNL2MqccfbwcFSjEBsgmk1fRRbYhKsoEbd8MYQkqdkSvIZsgxcXdiLFD0a29PQFa11ohY8Bn0TtFWsxG+UiohY5ooE7lwazlgOGI2HCCKcLoRyGXWObDPt0Inc5ssJdE2Jz4BxtLNwG9BOBh1TNy1cTH+riFxqztqnNgkC0ZbyMjBjOk3Me52rCEgmojlnyLjfAUFwzzY/jxdzBQ1gEiLRPlYIJdk+Xak7IwL9iZfcB2b57YnkogtgrBIl49uN089lhqSiqGJbL1olEN4sXFw7v3Yiam03D3dyCZnkPy5e2AvTMDutPYwn1hcBu4p5WeA9c+WHwUtqpiVk7YLaDHDTkO/aMCOQpYVJqI43LaDzkO+LYiBJQawWwrj+9XHG2/wBOLCxkVdybkCgUSEwbYjiGcOhihh9FIJevgU6Xg5l4xciukHDY/RANFqTurRbx6dCP3JkauaqnNGWAU8mY+3g7T04cpR4rqKiA/kU0uAC+iPdU5VgjnojS3i54DlUgs+XrJHOM0fhBcFCNxtbYnh6KuRP1xlQij3FOeG/kjpGoYgNGPlAE69cBOBmzYxdjLm4m5MzkaMN7M/0nCFUZZcOujFuJyITTHACNi5rsfwAgXr3fr8zVic2I8IHQiUmYPBCY/gTleUFFZ7ZKIopSioCMRinBscBccT5hNIpuis83YKF80YichyD7CjtaJggA6CKM2l9kDYGD8Bl/q1W3dsuvzNrrt1mmWFdf9dLbYGn1u08Azss+zfictyN7HM+AgKamnZBliA/36oQVUz+1VG+rthjzYE/LmRGk57vys57RP2a0nm9PbzXPy6oUbK+G8gk/T5hGuaQHKyHWn7UkoYdSJ5FchWlGIrQthCw8euAxyx621T+3uJ9ta3+02pzeZitbkdOepeYPxthkO5mZnvBYIOwiDL3d2b7fOTh517dxBizI3uX3lotVSPY4A2SLHGwHy5W7H77YvWazWBsdZst3kozyqBIl5xnaQH0fdjjHnNtiMjVJvU9B6duromTuVnmcF6Ll4Ai8J7liSkYPhvza64LaWkhRJrU4bvDo3gnl7rQGyYV8msoT89eR3336LXrw/P71+ic6p0pTPKqrmkNtU+CAWJmYieV2gTZ4wGy07dTj8MtsvjkSMSZHYqrgp/9OsaghBc2KsRT5a0+fHHBdiw/6bvN+W4c9iCvlMMQ+VSV9HimEWqzpdbyI3OKeVciMgIZGiBWVYOvFkxKY5Q8Te6+H0KnvOFc2PWWmkHSn/0WyE2orYq4u5PuTp8ixO+aazbt0aPtOwZf/1RiL7yWAveMMNtNIy8rApU8iUgQEDl41ltZAzzOnnDVHVPN1W2JXZe3C6vadG2D2lMphLmqjqz49mOHtbuBJfrnZRJ6r5J8BMzwmWgEoJuSgox8GEu5Z4usaaAtdqa3g8w8ec7Xv8pJN1pR+hTLRxzdH52giuEkttiyGtp7pZrB6x2JEXNrtI1CnkILGGPIsWVLZhfxjh82M9YuM8u5ZiQfOmeJj/Hi5L5jXVwcbwxX/MtdbVacMKznqSND/SLJshfa0/vRqZZrB5qI2cXFDnPZ/3FfeREnCN0hmzKfhjNU94sDpT60etTOhZYKJOR7UaK1ZIaSGdxDfUCtDYjva1/daJ+dbX4dkXNM8ZHE/KXdnxdpVzgeVtyb295FzdHuM40732o7UqDPFV7Z19hUqGzZKZ+1lIBJzIVTlm5behkEd4T+4QQSebt+VPQml0hcmc8pEnXY4TSY6v+rz+yG2kfynBiA+jH7kiZ+oEvc9xiX6x/3D6US64yzv92/DyRHO8AKM5McASfapArpCtQahKwRXUGlU4OdXMN7O/OY689DXwiKEsaV0Fkrvpu7p84zjrKR0B6noD3fjiqLsitV2e0hrM+nu8Li3dKWJk3ob+4qUKyYrz4DtWvWpuHud5dmWkRnLsPMXMvzDTLwRGS8pzsVRIlUDolBLzyatQnqCPkx0eEDM9h3cdc4Ne2IqwwMn6GrKuy5ctbqGK23v8PcwwWaGPqlv4tvHAFv1E2ujRtWaEIzzYR2779lPLQrG5anaTmRtxwPGmDkAg+7+TaWrTeYbs6047vUI9Vp3XqdeBGdsZBjea/80ekz1OXO/YVH2Erze917Luwk59vArocDbHMdg1DoPu2qwDMt0yDFYoXJBie/KzTRuI2RJwNMPNTjmHKeXeVm+Fk63qV+BypOigRbdXolgibGsDTE/9iy0YG5tt6rn7WkojtSkbG7bWmMyLI5fAX49qGY4Gr6P2ciRp8jKhPF4Hsahnw0zZJhWmvTwDQqqdtmOXxZXRXqf3B7p2DlCnvfu2oC6xrPeU+fOr9VSWczoopY7M6TBvWRf8vtP0dPSeJa6shZCrdAv+B1Vi/setFWNqIN0q6rV6HrqaDFv+8NpS3zK3J1OJBrOq661vntXoLsiAaynKfURHLqrJwLiw0x73Y5rXNmxJR7AYXXbHcc/hmShKzFfNebTHzrbTd++VBUhzDWWUT0VYKcDqPnWO0Bb50XtF1siWkLYq+vRTqhiBHyvGVugvFWZ0SiFH5zbv2RkHg1CWMMmIEPf0iZzuv8IEufHX72fMxrT56NVm1+7wstJW5d6zhen2s37TDOG77HhztLPJn6C7VemmvrYcGOa4FRxfPAnTLGox2R5sg8EZIuTXKlS2tg/mGKa6RrnsonOWxVLI2tpvXcw370eWvFUrJ/J2qnlRpu1DtIEVZuStlvsaphQikSbSBWXGMeuBSqzDpknCM6xievtbhKVPp49MuZIs4jK3qEZcleYxmlUyljWkRVOBzPAs3ptyTTr69dQlHTX8sUva7/oEggUeNHCrWsV/nBj60XZzo+jNJfRCZWJrVG6IY+QSdmTunR3Wqlev/X+feQiv/X/4uKaQ2R8zkOHoPD+dJ/Seu8m0nefW4tpqtTaYTu4bopknFeVTkHLE7zqc91Hm1Vb8t7I+aJ49Asi6LvG0tQyBI2Xd2iLpkQoMcbTtd+H89mbb3dkIYtn+07/DMEBrvOEnLecgj2OPMDq7j3h6cWZbP75EZ3b8MDSQ+kjFUkb4fAbSN/+EThTmhuK8kNR13GJka8HNoF+rVqXojStNP+9rlXx8aZTwaqNb+jlsraH3iWTK5b9fIA4zoalbwHKO1UgHKEWOXVaotZRu8PHmgmapk3WAGgS49PZYXTi9zr8JB6QoOjtGRkW3vlHT9fButNGykSZUqSq60mkp22CpdNa6w3woFiFImdQGOliUtvS8MIOjW+uc3iSdjhIh0VQG917kF7c2tHPzZdSSnvuBfLz03IBxXIQqxbJFyhu971L1huwgmDwzWw9X0cs0qlSE6T34F3Wi4gZfrduVtC8kK1u/R8r664REl7en/351ja7NPYV+5iPdV9ZoE2VS74P2binCaK0YInMg92ovI/JuQjhtDbJQ07mmXmdTIsyGgfoWhGspuEHLBUkHRSGfQMl1OJqqIKOPBotZY10drcNnG+UCM5q7jRgA0ReER6tqvUkQWo7dw0r1xXaknV8HkEamPde6VBm1PWiTkLZLmYIhBD+D00RnvM58EZLq1ZYTRURRJK0TtyNuh8MbhMIp+EsqgfVfmrFNLEuGeabUUzW8NSM7Gf6rn22doxVE61KNs1LQY4RVhwA7BMgisKDCrwHLVjLHnA8KZ6QuN+VHtUBGfLZHKtvcXCy+5+Gv708/+HvvdW/45kLRQvZt/9FrtlF1ny0Eq1Ix4LTu48x9n5umM3bdzrfiVCv0woFQL221DpvYW3fU7ZFHFnRwNqxKJM3ee6wfOdU+XOCkm3SwAGkjBaYVQ0RwAqU2D+Vbt4Yj5RWWy5TS1zHePNjrFtoGaCmkRsLw96c/nYZCcINsj73vhJwdP8Cyn2DQMbFOsCt2EiwU8+eLn68vr9EVfigoz5u23uFlNXM7ehhmp4niyLT8NAaz2zStRn0KpyxGD892WY7Z9HgJm0+dhF9PObna0TGWeal8ee6r9HoUGxGy4y3KE9cKqGdc/JfPG24Sc3g+1CRjn25rLzFP6CeKbvTtqu0rvnHqFi659xVSVSBEHSv0B6Wl4LM/Thgm94wqDfkfXvu/vWo+pXwKJPzRlEpYYhZUZPCEtX6DMM+REmhkW0qYUaXlyrzsjyksSqznvlh/gwH1MQxAWqPUsWC6RGiXr0WEbFUhb/TJBjlw3YpJadRtUc6FOnloPzbCm9w8zrCCd2gCuv3s70DsRuRfibxiYA9xiaVyXSrNeA8zpFaKiVn70t2osUOgyv3OjPvjcA926YXHHJ5YH2Y7/GDLcOfm5L1YrVarb4rimzx/uc79dIWABbGnNN+MSNMCAu2qD+DDHS0AvZjP3xXFO6X2hOWYGXpPHoDsSuTQbl+0bi+8E5iBXnEAlNuuvXZ3LEzMogL56NSXN2/NE19iokEq18f4xbdvzP+/ebkdUMBrfMgG8rX13H6Bk9kJqgW/+9t2QEQUpeDDwM0DUJ3VJOvyDnTi5RATs5mRQxbpjzVSWbEdllJVk7jMu60mrtRLzcDNGOaTzD1I4iH4CbDUE8C6b+MPK4iSWgtrzKO1AGuzZbAAZs+WxNMpJZuBBL0ihxwspmlhjcmWcAsH+uc//jc6ZUwszYNSonPgdKs8rGSoTtNuhr3A5VFJPKG2/XQL1wsFRPBcbTnx02VmNveYGAqXIdoCqDk2N+Z2vzx3eY7WIuTbBfmX905raQO3494dQ5LjIw91+YOG/rMh58x+WnjGNHU9J2BWf8sho4PKOgfAueTa9Vs9ra3WjJKVWbN9loqWKnMUou6ny+vbA4F5UHGl87WDZAV0Dco/B3YChctySpkGmYJnp+tycOhHO0rNwn341youl3UwfwGA4y14G+J26dHmWVzxtT8O2fcRHITjhqp7fzG3XRhj1Qi3otNA5lwwMYuoQNw1NJuo+n2gjeRsRFpEqoweKtjCVTVQTRylkEitOJlLwelnyB+FvaY4eTbczKjKCBNVxBdPj4tnHerhO4pnY53hD71HDUn7iKCciMIWo3Sy6pV9TrxC10JqdLoZn6h0eoCi0jMxBvBPW3RrSTIaVkEGf94C6ue617L30Vxer+tD7arpS5IVuO9WOoBRfUxXp2d7gbKF0uQqC3Q1P+jhmjcmWj9CV49cc3InZTJXOvpitp2Je6yogfREzOsh34mDdc/+iHqlp9g2KO2660oxSFo7QCfrnwXnJZ+iu7Nra5P/eH69+5omgtZes73xUVKUkV8Hl2dX143xxv1jZyRxt70dnPi9vzsSBVxn5f0gFX1fM8XdoN+8TXS342xGIoEAXUB+DDT1WDvwxjbKTwSnbsK/A2sWRwCyG1dcAb2I+sGdIchsvs1QQwjpMbviiyuLhjCtINoXYMQ7uYVs5FY+BGQyLg5k+uNRKkk+Cw5pnBl+lc0Ateb8/vTDToDigfngM8VbYLZewulY0l6yNl9+3cYXjyo+X/qItsCgMsvpoKnDIZy5tleKrzhABT9B10I5T5Pzy7/75z/+Q8jZP//xn6/QP//xHxJKtqr/8c9//OdmwERw3vUJHYz4wvl0eaMRU4WYmJmHtS0U2+lEOwoqqhnTezSbWE3f1JlzINtNDovocM6akdE6JavASoPcGRXNy/RG8oM8Li2EcQ2XLYzWA0JP4GTwx4OgN6azuA7+xiDXaguzZfxC9TWvKAAKUKpTPz18DhlWyiWSRLWAr3GMjBBWUisGWXzf8LWnaJ81zSbaDKVkWE+F7Oc9HoLCU2yqobhterJlgaLbkw0H1objmv4WGK6Y6lMzw15jMc/r6d21vcxAbz2wUGZVFXPsCx8yij5+3Da2K5wT2Td0dx2iGxZWVnN8Prbclsb2zGySTMwot+mdcVfK0kUduuMnJK7iboZ3QVkduuHhH4BU1g82qIl4OIaadrfeYhAHXqTRS64wW2IJSBHsGpZE00emUhSZ67+BA1WBDoyN4jnIbu+GLQJHpMJyA0aQgJF7j8ATLit1iPC1Y/fJBsc23wzkgR+ggQ8ohh8lVMaMTLPkdogCmOpQWc0DBv7x7tpWSbUV99wZcViWWKFcLDkTON/2XjSomvdxPGznNUkj4A1Qa7OagnyHPpYGl43U8xi3IKQM4m6TW/q519BgjrXtoYJtNaHuBhkFFVcSX2M974DyeIww3BFQXJH8Y92BA2GlBKHWLli3rN8lGHaqSyKKAvOIup3ZSp6oz6KYA29t+6mo+Jb9FPUMHnz+XF3puCvnq7kfhOtThSXmut9d8PAtblau3qyd/b4ecZvrR5IsBdv8be5I7yDQc6WT4Lhxrp5HIJGAVUzpfWPpoeV85VOriJC52z6gbTaZbX1a4uJ1gRklVGwTT+EyxwdB7BIM75QSF4HuLYftkhIX6HQHK6NRRmI+a3v0tpzaLPae+EtDur/dwqy3YfqR/ei3Lva/QzQ4uliAlDSHTIv7QX+7Q0KTPF3UpRvEQMQzMsQ3DPE1eD7HPIsNVwLEw68gowy6gxnzhNytybacA6e/2FflFgtYZbXSzLbJifvM9/quUzS3PvTbOOJeK20c26+UudZl3aV29BA/PrihDoL56e7uGg264IY5YnNAjpwAsqPxOFGqXlM/z7Zt9RCXMFFUA5pixrbFFHolL8V2rh9tu25oeCBgiUV8cr+nSjdhhLaOohmGVbmL3l7CpDXstqUUXEc37dUL6eIc7QA7yue4Z76RzDskKRBNF1Sv4gL4FSZNEokfwL22C6zJ3OiRPEcEu6IIc6i/K22r6i0r193lsZ9Q7V2+gyF/jt8Mi3keour8dPoG1TVC661ENRRoAraWHsds9XnbU6kA66qM6oq9cjS3+nWMahJz3I7nf6dpR5/zFknnmjynsaje7mJRtQchrlnKWoG2+wVypYMdsg45gi2H0XmX9vjk4xoK7eRvtxqUW+ps1JPW1Wc3Y/DaQVTJ3SE4zvP4Zsft8tY3vM5KCVP6EFXImMsaXXfphmU+1ZAgLe3WKHlnfbIbuaCqaXwuPGh026UbPvnUblAsY7sEzxvCNqBwu/YS09rhAvF2MfPEdUl/3OqIrtfcKlDxl/yqQ3ZkxdO5i7ascqXnGWGDgnCHucArPUdnXaLjoxdA5phTFVHVswCGdEeVKsepuIftLEw3iMF1xOSgl0JGzGUOkw0iYIJgNsMaljii4H0fojo+fnQGvA9R3bIL4j5bz8J0gxgEy0OF3g97rg5pBsfmsIw+9ochzeDYtIweunE5IBledSujsroObvwQEicEm0K7u0WQeFRjfX8Oh2Mo7+IDw8ssx7pf7v4QFxNeog7F4LhXUT0cV1tdG76tYtzqaX2S4ZE1llrTkSV+fMm92wG9DddNrHysG0sNtaoNBwc1sJTGg8ap+851SC847O1KvRez7Pbi5peLm+zD6dVFxFW2tJGjjTq0g1gmmNxXZVZE3d9/skRRsX2bhxprHjL7Lr2RoyUXMZX52y694JiBJvUHjPhTm9rIaXI+l9Fz/Hifzk2I5IjeEmjRfMB0e/SCY9pm72rYcO2ggUNEg6PDg5YRr6QuueCI1z9d317c3rbsRQePOiQ5fj9ksS8ItH1budjseOO6x/8uN1Me1d53c3G+1c43kZiTeWRN60+W6A5mlqo03Mwj3cVDamGNO2eQkbIKjjllYtDnbMuwhh76l3/ZsplXSkMRc1hHcQt/FcgnGDNilEqHWng8TiPeeB1qYVVOaMyyAooxK+1+ufK2SsNVl2pw/KmEiC6JDrXwfCXmqqBaQ25bnUZ8ILZIox7tEQHpilbExlHTfRSI+wmNVrukAdAlum09YkJor8XjUORSlClQdOluXIuYEJq12GF8IhijajQYZZ94pgHB8B0Wv57ckGRw5DPBp3S2qd7xHvdKmGhwfHQDpZAj236PoYcEg8M2edKxxh0SDI57ByM2gz2G7NAa1RciytUuubBeNGxDeMCAHWrB8WKWWsZbuOlMmSqzRSviTtSTblnud5i7+sRoPAh3NpLflfe5/cv7S0RwNZtrNHFB/r+e/rgZzUNMU3MbzF9vbwNY/k8AAAD//1nkZpI=" + return "eJzsvd1yI7mVJ37vp8C/J+LfVY5qVVd1u2dd6/GGLKnd2ilVy5Kq27HhiAwQeUjCQgJZAJIU68rvsLczL+cn2cBHJvMDSVIkQKlmdybC0SWSBz8cAAcH5/MbdA+rd0iJci7UbxDSVDN4h75yf/jqNwjloIikpaaCv0N//A1CyH8bXYm8YvAbhKYUWK7e2c/M/32DOC7gHeKgl0Len1CuQU4xgRPz9+ZrCIkFyKWkGt4hLav2J3pVwjuDbSlk3vp7AE39fx9wAUhMkZ5DPTJqRkbLOUiwn2mJp1NK0BwrNAHgSEwUyAXkJ4MJSIUfgXYmRVW2/tpny5quhcUx6+AfJz82QGiI9SCFmnX+vnmEcZYP2H43p8p8D1GFKgU50gIRXOrKM1jiJSpAKTwz/8YaEVGAMpMW5vMeaYTeixk6ByJykOGJOFq0D2rf6dR0YQFcZ2ZqkQl7wIm571muLM+J4Bq4VuYAUK405rqGoYIYNS32AZhj3f9giI46TGYIhDVazimZI4wUKEUFR3OqFcLoA+hfqeagVL36J4Ot0UxWzUXFcsRhARJNoNl3JZYK0BVobKBhNJWiaA314r2YqdfXmNyDVi8H5M+pBKLZ6hXSHjdGN+CkgdvhvAXzJMhIBgtge3CSCd4/nx1OnkMpgWDtkeQwpRxyJDizsDSeMEAFLsOoCjXLoh2YDWt85c/55fkbtMCs8iee5sA1nVK/O+EBE42YmLn1koOFsLOjhrzfLfZ7ZjlKLDUlFcPS/t4v7MnozhiQ3munhHbGgPL4ThldksVx1+Tt/1uTzWtiRk2zIIcdXzH5e2Yn0l+WZ4NugfcResmhSVCikiTR3Xs421Kd/8OQKY01FMD1cwSHq5zqjDDcO8PPBB5wLVfPEdjc6FTPERjl+wFLqzHVkuP57rQc8D7SIy3bpgB5zDfUiF4Teme2vli/+w2agR4yUBIOe0X09JAB9S2viHEu9owjR+Iib5lNguxz7BpMMxL7UICDj2YfOYZaXXH6qYK1Gi2b+fs/rbqP2jPBibkcsBbP/WU7Im4WNK04bHP3zAxDp5Tg9nl+L2boYgFco1srnFHFc5DmCSLBC6rB1Kf0AXKkQBsinR93x1DjD5Z6EQa0D36wNIswIP2oRRlaAuPbl/bbmIN5PYInj+PBXKhE+mp7X/4klG6LSNbfkQp4Tvms/lCFtk3LhvTl8Jfus8EGPxpl7OX14nuE81waWTl23PvMHcxeiy+VuYsfUrP3h/972Wu4lV429OWCM6S1rWU5wmhGF8AbI9mXqwgYFu1nv0j7Asmfo/L3ZXg0Rg0aolxlEj4lWOu289AusJ33ZGW5fOGGRtf2IL3y1myN0d2qBETwUIJMAAHVc5Do4yXXb35AQqIfmcD6u7dogpXdRbWDbEpnlbSq35Z576PufsHztm7QdI/PCPYF8+uZSGVm2/Q6rkf+4g0MQi6xzJMpdS2J1pp2m5OX17909D2MJDDcX1KE1EppKPwl6mEbanNwO1U55pl/C0lnlGNW/6arrWzhQyr9a0NgxOX1Lz8EWODhDzhxOAsaREMux7h91ht1qDjue/vMAecgj+K7/skOhS7PD/GSOrxtZ6kls5+v9Fkb2RjJktvZcK1oXa4VLXtQzNPlTDAGRAv5JQpgw70niLkxe44qRBzrIDdIO4rqe9FXW9AGRj/DF19BJs9FVS2EssFuheBoshosGkISPlWgtCGoaFGylV8n82Uj6BFgMkeK5oBefIv0XFbo7e9+9xItsUIKgDejbODEs1Bed+CEKgVXkI4V5IvZFURUXDc2haqYOKFnjrIKUkAv8EQsoMUMyoORlbV4U1oCLkbPD/lits0TswpyWvX1tBiM+iqkOTaGBTpFVP+tevvtm98rJ9Jfl1aA1qD/NpjN38x78D1egURv0QUnuFQVc54V86R8lFwPUT/Q+RGIrQyN8t1b9G9muq/Qd9+hf0NESKMv21n4QV+h/5/p/26+SBXqMuWr4BJykcOzfevyJWQEMzbB5D6tBuzAcaHtscHavSsME4HnpaBc26eJhnCAs90cGUgpEsWnrfVBVQKhmFnEFqnSQhrNmq+c1mE+WGBGc7cxQqAQmoqK5+aGYWDBUz7zytHW4MXuiRhQjuEL9Mdhg9toZBVWTOD8udxzHg5S9DOgArSkJPDq8E/h9pftW9hd97UQNtc+1muNVkzrZTtBP4mlWZrhm5NyJKR5jGmB7gHKLUx7FjfeF8I0KQgolS1onuWpvK4XteSZAQeJtT3kueFg6124oFJXmJlHe8f2zgMmDlpQ8+y2vnLLDDcLf9Qvz5E00lpZg4plGpYz0M3XtnJCyURBT0/OCRcJt5kTMokraCj4L89r2+sNFEIDuvX7nUiwF+1kNSYozf/VjpgvwPHiR8pUyWjKyIZn/ZxXdKD2PwvdzMjchPvdnjpzB/i9Xu+6+tXir5D/Gh5GJ16mlD2Bj96Mah5H12en1173JZgb9tCiFLKv8SJ7RX5xYRDV8zB/fHRXlX2I26d7yJTafcpX65+sH+xOz7Ev8xP09nc/oKXlewGYI8xY2FZgjfpWTVrbj9ASJDiyWCMGWGkkeC9dpMvEJ1cTv2wmBs5qCret592vQuaWcTaqCcicCyZmq74jbkrlQItF6HeIzLHERDsmmkO9svit0ZyjivuYHtaxmY9m1MZO6HaO+pROhA2+S/uiKIySKXjtRpB4OSrTrGTtqZWYWI3V+Si4tzkIQipZU1Qa8xzLHHEhC8zo51B8r5BFkD+5j3LYm0WimgyupEcxaY26AfOa0SnYGQce+AqI4PmIgr1e7kzplHaWDROinIiiZKCDG2DUiIqtAq8l7YnBVr6Z1E+0kW/N2MHtPLaVuztzdPsVgut5pGVa56fGinlZRznlT8T4C56nYLsh+Vnw1NUWNohFM3qtYrrw2rs+hwciKtmJPkUaHrQ/fGgBUrXSKfJNcWCB9T10s60Ax5rmOk2PCJlDnu4e9EE2/ppSzYi1jlFH2jRfbPvXh7eVFMWJpVrZpHxFgGNJhVPri4pp+o2mIBEuS1Znv6yL1RSY41koNRchZt079XvRgXJYFaL6a4XEkjvPmMZF2bcMesRmNANxePq0QmROzetG5KBO0FWltH0mtYmaU4n1SFwu1rDnIm0UYNOpwb2AY2hCdpHrAR3vJExBAiduQ2CjWud0QXOj2dj9EBZkt7Ugu+sxLzzJh5LKo81wvZ7OF/RgdiLVbOUmq4zQM/qaAWU36GbbaMRFHzXhvDLSuJFnJ4Mhm3AyUcWWQMVAkTuUYsP/2EfFapCfKqiOtpXM7na7aC0fl1ghCyIf2TcW3JvYTI2oFHQYmkCmzQqd4PadFSmwllkCqGWWQnsuY4qiLtG30akm0JVat8jTPCF7z8fgHTO4Lh915+wrNrfJtX2cBesLolcNIbYhCJOBEh9DsVYVS+12GnlFiUoTUcBrh6F5vNiobDEd7BDMPQs6D8iRDQILkFSnTB3ZMLF6dJ8E2PLsbDL5pE1eHNQOdLd0k+liqFm/UwmETun64RPWbp0zZ6ymiteV00czBRagMTHSfJ0wUZuocu9kCeL2z+ZjLcIv3Vd6+yUoJPr51ofGUlUHBPTtanb8eoXGsiRVKRSNKDh22lv2Oc1zV2HKhvLXZ3e0Ck/FdJaudNEjRRGvCpCUPFYWBed2hCy2DRNrZ7I1J8OJJXe+B1NbAM+F9AGzG2cmJn9/guo1tWtXTP4OJPyONsDS54IP2G0k6GZgTtKnrFX31fBA+qx/L2a8lWuOm9hiLjTCaO4rXoQDaJmYZXWgypMI9XojPlqoH6NmSkf2/dmGW9my1FZ8hBV/wShZpT49G+TCtQXgq2dzthqRyxVLGTcdZuBNxcACC4tTwTU8pNZYG0CX3Nnr1vVQcZ4r8z/2UsWsBhQqALPlciZzzGeQcVimlgVjjktYtlz9VgnRWtJJpaElIYYx+spBN9p6+/oLiw5V4mjCruEco8nKVm5imn0I9uOLHJi2/hZ43NoMMMOwuuCgWsd8yQXIE3QLblEqBfIEz8CW8vaR7lMhawwD2jUZp7cT+3vkft+qWyEkmkixNJ/Vf/W6pnt2jdaTvsyvsdSxzXQN4dgWFX+mxCA79FhnSrC8URtTHSlRgncoprqLTznCDKRuoovkelD/N+fe8uKjVQTABiEFFOYcccG/kVCCfclsin6wz4ZjXjmkktIcmOa9YlfS6nGvqfOw1e6fwcyWVM+9suxkPTq3A05stglHgn8zE+a/N9wEVknJAopjwnnjljPwtQVgQIopMtJBU1An6HYtU/qNDdqZVWkQn7l0vkqZR4xLGXXBNrkXv57xGBFWKV1vSP+PwTLZn1BlVtLnRHv7hlF87afjKtDRtR93wsIveleWKZ1S9vW2h5dBeW5RIKyUINTaS81qBN+TdsHe03t4hzAq5ytFCWYop+r+FSql7YnyCoEmX4cVZSzxPrmXj7zoXZ6NxAVokAqVWNkqXsoWcnC1CIgoCiPFRMdpP0ytAU02qnvuPngqja+1hgkuJie+iSjKangGEywbRkvKc7H08bREcAKlftVEUowyYzDNacXYCn2qMHPGz1wUmHIvNXhrICZGrq621TOWurRh6kYlfE/5PeQ+F6gORMfKWqf8A8V88lUD7YTmmxaODapCJBV17dZNzizRB1DD+/n2qXD9XHrLK7odlutpnM4gC9pv7JTaxOrHtGjd/t+saX8XWdOeUpb+jDdT/tGO1hxjCXlFANWeIwib2xRIilkWuE2TXSK3dshabe7fj60L0Nwwo3YBIPdqr5IDMSzGfnRz0c2xmjcn1KiFgSzDisxd5G+dY9OkGZ7VlHolwsxEmmFOlCTmV82/h5mmyMhzjqiNuas4YYCl+ZMthLeG5hMIvbVT1omd270PTvhVwzpPz/rGIqKYUN7UzW5fWD5tVD7i9lpQWaljW/ra2ogFMG7xO46DNHAkztzoribjuKXUveCSm8Yb9jkr8+U5+uAkzQtfuAG5bns+6ddgexnWq50B+ils+S3z8+W5ZalPeWvExNB60PXIuTBAN4UTt4mMLFhSFX6kLtQqZS37rlfXJ2g7dWGjHZu7x/cRd41h/VkzMLo836rJxrLPbdFkDbC3PF9rtCfozOVn+nqnzH2wWZu1AGX3G2++8ua4SaWbzE2hm8uo4gyU44xwF8pSoAWWFE/YIAvQFWWgHJUMjwgCBVwlrY/SWdC2qupGPjGSymgYdX4hNet8+/ryuq9DI18y1lkUxvKy92wouHMu5NrT4kCiS67RLZ1xbIXFyBYthUxZvPbrgfwym/S61t2Erepo/9MAaZ1lu8tyEdg4H36+Q5QTVuVgxJnvVGt+foJeXDzgomTwDl07g4gja6X3SdguYj1zR/dtWuPU+moJI6Pq3qjce+B6RCpey4z5wV8NN1Tdb3C5aklnM5DpWtiFWfZL2xfgMVjtdC5BzQXLze5xb/WRTqMd1/sRLAtD37uXyi9unI7xsinGcXkeTiPZ2TtPRFFmR467sqviY69sG1dn31PV5BsDR3Cbnzq17WZEXpGxV5pXS58oaqyNvJGWQtrKA0au1/hGusRhmS+xfJoIvWFVfSNdsb+IzCRGSiO/MEIUoytM6nrKYeXWiKCjvmME/6ZWUOVmKeTemtGbWkvAKnpssNJYV7EU58YehSl7smeHGXwiHhDNX4/fX+ZmrY6B0CD6OCh87M6CQRE+uvU9lrj73mCTnw/77u1znVEuqlg+zlYeiZpFP1NGksY0Ogwsst9HJpy6MmNnS5wyZuQeUhUhoNS0YujCjI+IyEGZLVEX+w2/LCjP4SEyAxhVej/N80DZYge2TzFZg5iAtP7NAkvKbARPwILn/O98hrBl4jfmt8GZ8QT7UExccaEn0oj96OhFE89ZglSlT7p1EmbAMq8irAPi6wpPL0eSDJ2Za3gfpw4occpXE+TlbVXu2+ZDTLlCOWhMWcDIMBGVbv1uZGqCHT02s7bY4iaOzeIYv0g1FCVLFs1zinKYYu8C8pUvax++j9Y0WvECJMMrm8ilhb9c0YvAiTQf2Fe3/zVM6yxwZ6tXmurKFmZEwYmt3wbDgk2HHteoXqyWfYfg2EgTyCoiisKcpzTb6MxRR7QV7FtKsaC5s5/VVeQKUKOBULkg+zsaH28t+5GytdZI2nF5YdXgobRBT08j6+vR08r6v4vJnnanvaf3P8XEO2DCp6uk6QrnntuAYrfyt9eX6HKgULVhJKta67NLNiOImNjVZMPOoj6kH2MP87HVYeXeiYhsIvLUGV+DjLu+0uGxIINlRD2ax6+W4FwGR8g8b5mAfeqwC6Bt/CF0RvPGlTNixCtivxoHaeARbv54Sl4z77JKeU3V3b2vP7rqObUjygZrPACp2lYEF/o1gVB6a12FaVPgxhEMIUGreN41iDTZlXiBKcNDRwZqTOHI5ldOQcqRTgvuDO1j64/nd/OPlcIXgHIO2MGUfLiBorOTEYlIi2xS5fkqun2GFlnUPKAW3UrBfoXON1qp4lOUVESsctBLsctUdYyEBKra0auu5iqucqqbzLp1XTSPKNTYbp2x4UTJ2r2weZIuSiw2BxdHe5Wf/XKBXvhciV8qZnTlCWU2gcPGgV08lEKZb75E3wwNDbzvhbnnYsk7DyEFpLLFLBZd6iOdNgk+ggmuHxZ6Vme5f/CpSe9hhskKfRx9rjE6kfgpkvL9wB0WU44KTPlU4gI2hmOUWNquvenrJHSUy2s7LPogchccvS4L2Io6C4BCW7QvGypgGJHqhdStG/cBluinitun5JXIgaEXlC9OfvsKUUFeoYn5HzD/gzlmK0XVyW/D/kVNymzK8KBzfmwdqqvhn10jO6i1dVk5uaqbX4npxkINWiRF6v468TjrMggKpNnIQUCLIq7c7SH75epXLAHduQDg3/72l6tfT28ufvtbF3O7wBLT0T25FPI+Zsry1gP2az1g28M2agTDPLYS4XN24lYpaa4DTMx1sUrwhJkKCVxRElOAtExJCRAX8a0gAf9ALKLZEtNhc+KDrQO29nlsoub4xE5RV9Uk0aHQk1xpGTvz3eZrJzOIte/SaPdonfORzki6b7LLujHYQKXxySbrvBef72JITOmooameajJD7L5TDVYjCkyzn94TFsp71xN8vOHCgPf6/81w1LXK7Dr/PckWy1s2eg9kI8gn2Ry1H3cTPiGOELTVWdnWu/SFbiLa6yg7WyfzpTW7DXbuds90XbKaHsMfZpO+ppgyw+u6mMu1lxmX5+3cNluJyzwHNcwCJQzGowrrmOvMqIh7zGefwGsbbu2zj85EUVS8b4kaoOP7FW46FN0HeNB/hrBO3WBT+2nWh2K7xTz/kwh7zdbYNNZ0H8lwMLrhwB1wqlIlJVREixI91gveol9iyYdOh+cOXfGizEQqYXz74eoa/ezsqOug1DCQT0cNJbj9y3v0qQI5Uru1YjyT0K/UmTa4oWUQXaGbOuksGNbVaOkk4kXaJipitxEwRMu9DEfbqOqAc+xgunn8Bg2YYVkkWC1DNoF5AZcRE5AbolUerStth2bcalcd0jnWfa3wULoT4GReYBkrraShuyrxoH3xwd4nTAbhVFFoZvPoe4HANG4CVUN4OrOllhKQFZO/J6Ba4uidMFzFqejbyzrdMxr7wvGV2wowqmd00DzDxDZGiZ9+YmgrHvHx3iI8mZWL7/mDnke/3wnPiJZZrqLWXW9RN5T38zztQHjBcHSJwTPgM8ojJkUOSaeIjebZNFNLqkl0+cGzKRNLhYv4sStt2lwv0lFP4HUhPKM8pTihvARZTFbRAt4HtEtyn4b4ArMUe4WWWSmFFll8l5Slvvg+sxbH+LRZsrPJxCzLUzDbEI4f/0Z4VuCHTOtYZoMuYbOjGSS4FArKE4GmPB3okqmMTVgW2y3aof1tQuLRK4O3aMeuhdimHTurt037dwlp/5CQ9r8mpP3fEtL+fRraWpQMTyCFSGmox3+e8ayomFW+J6sE92RNvLxPoJcUFaOzokyjfRstE7NZ7CAkT5mmUEoUfCLxbSM8Uy4gMcEKKknSvCYN4TSvSbVSVZmgFynhTVp1kqeqFto8PeAhgQjRQpuHWSra9lmThHjF6QPHXCggCTbh4gfDlUSXwuIHUeo54DyBWU0UZUZYAhu2IZzASWLpyslKxzeLGsoqCeWyyhL4NIikmhLMEiQQqQzPgJNVxKirNm2O2eoz5JMUuBeZLQOahLIrB5MGtQusTUJ9MisXP6SxQatsQvXvkxQaIyqL2yuuR1iK6KJaJTnmlioQGT/LTTkbf7ReWy3CoOfOzh/fOOKIW7UvCXFXTT5eBbkW7SllkOINo7JpikWk05jJ2V3CKXQDldHSBilmSUQdLRff50qXg2L+kWgrSZLQZnQKKZ4xyhqaC8hptITRLm3K0+ySQuQVA0VECm574nSWQDaJUi2xjtrzv0U9FEEehbCEGVVa4viWkDXtBBqfhDIVq2UyXitbiVwmkq8uMt9t8QTUtQRcJFAkXSpQKtjplOvlXFCVuQ6z8amvsMRJNng+kggbg/LC9bePTZcqjXn0Pse50pNKxmoWWFMF1ysoBdUqOtb4enSdkxybrO3cMI3f7HrfSgObaM5wnsc+AzSP7VatSwcluItokREpRJGkKpEhnOCZRossTXCkr3iUgs3lffTyTKWKX7KUlqqUNDJRhjXVVfToM0Y5xCuxs6aqonbUaeja5Nv4Zi0mXNXTbMpE9Ou8IZ4g5N+8eaNLHUM0gcQxb+gEUKPHJjAxS7J1+SzJAS6FjC3Aikk1S3HMCqpICrFQqCQbNkUfCA7aFleKTje6DHcFoGNH/DmqscPx+HIZ+wWSJKNMuAbQ0V+iIr5mJCSdZYF+XAfTXXKQ8e+sMnNNeaOTjdqZek3WtXhNsskSJG76njixhYEnG1salJkzJEWHi5UyH2ZkHivPf0AaHkoa3RFQgixmEnM9qLkbg/IyCeH4V6+rRPbxY68LaATCUswyrMqIDQPapCWOTVUCZin0OwnE8sFVHU1EPD6TDeW4JVxblIXMEyCOb8hUCWzDytmGE8QDKIgdCOAaHid4nCj4FH8DhAq0RqOa4Cml6CyB4FVlbCubkiTFOZAkj65IK0lCVXEjENbxWmy1aVYqelXNBeGxEyWC3WIPJeqKdMaevp7p+NvKEY3v0Wt6esamuyqjV2ut8kmSOPRKsgR3YaVAZjmNnfWepG1F7RlKwQZNlMZFbGvwIqNcaTxNoBksqNQp1PBFyROUbtJCVjymmTVUFi1QUfS00gLdVBwNhm6iRxI2y/sFM5qjMwk51egMy9xXM1S2/HsYjuuclZBLYx1CLRnbRB/Z+gZEMBRK1WniIShPx7mLomRiBYPGglv5NxVVtKLeO+4xw0NnM7L9ziTM4AEVuF9oYe2L5bOq3wwkOUhGlW3OUI/ul94WUEKqKkshNRoWHkVoOccaUY1KCdOxrXBAWO5jmlCEGO9fHQ0ERLmv7D5SF5pRnrojfwuqGa2NUyEtZqDnIE/W31dzUQ1uNIQ4LEA27Yi0QCWWCtAVaGw7gruzihsWvHgvZur1tUt7fYnOfYuvV0jPA12KbDHgG/Ctjy1sjj6A/pVqDiq8zsNNnYR5U9uyuzlFdnA3WQVYkvkJ5TSIz/bcPUJ97Z74tL0wbDDEa4Yrbnv9zirbx7Uu4h4u4N6r175hTunLcTdzaopw+/7FI499sxBZxJym3Sqv2mHRHTxoeyrGzAXH6EY9IpDWjes+2A7VnI10vLTVcxO2A7f1cxVoJOFTBUpvKNq9f7Ty42vlO5XBtuVxozqJ3bdINXGnXXPKJkwOkfWNdf5uK7Srd8GZx+z9v72/oRns8rwWCnbs8N6wr4Z4QbyP3MLmcplgBciFazdo0OBUNavkf/E0eHnTCr5BLqQrXx9kI0JYIQVg253hzf2qJOYKkyO09x1UmHZDc6v2rjcNqaTtgLYJdAmyoE7dOBbo9ZCuMQddUAYzQAwWwBBWis64W7h1v/7w1rclmZ9QftvxN+z0yZN0ejbIKk4/VdBvk4jDh6+Fd7+Kift1Qak1Gpq7A0kE52BjK9CS6vmYoEAokBnSaOwS9kovevTTwrDTypPmimJiRglmyCAYefpYFE+Lzg410qbx6XhXzlcqDK8VzrYUvajW2Bc8ZhSrbC6SvwncI655rtleKuumRkYqtlvwhOsBIHdoDFp7p/lGLIQBlienTAnzEO+ct3PrLEc/+V+coFO+av41oK7tW15xjXB+QkRRVhpkWAwnMeObiaV7nn3VXwvbY7GzIFT/rXr77Zvfm7fveWs5ao59FYTt92kW12O2q+EGr0Cif21scuq1h2HBhU997Pyf9HuerzF3dv3G9dgzeHmbbPu63zDFjHOCPvx8d2HmDhKc8cTaS3OqiIQSc7IyWqVXz1g/FgRZDr1Cd1fv0CXX3719hS4/nF/89R36eMn1D9+jF8v5CnGgeg4SkblQvlWakBKItt9688P/+P9efh3kCOh5QhnX54eVqScFDrfjUYl33yOP+a3bi5c1qPARz58X6LZs2oJ8z4JxO1/wIbw9xXT9OvmFSl1hht6ffgiC/Sw4pLNl7bcz/pfgcBLmrYH7xYhQO5HtwtMuwXO8gzeswwxrWOInaJFud/c1Os1zae20bpeH4DRXLynKff2ch/pCLs+urt2tNOoeK7A6ovejY1Rymqq/u9HltYEyYv0yPNyzE0QUHpqxx3lYa2KZ6651XAHRgovznJovY7Z22LZ6+YfvuSNuAPMktAdc+BN+3t0CAyjrWOsket2uVxpGHzzCayF1I5IHQje3Dja7AFSvtktedWTeu/lQPqsvk3paV2OM5xB6Nx7LiuvR2ZcvVkoQalROZzca6DjIyGWJ+QxOmqcTEXxKZ5WEHE1Wlibw3EYNheVMuWfpgUHS6Ii2HBx0mqDeAYuo+7dTuKIbACQUQkPmI7vjxxnFZ23OVYYzF4qfgHSpZRri0wRbYpogW5ilOA6p6p+UCZiK86y2xKVTy/sveDOPk/5obWPCE2iwF3oOkoNGd6sSXqGP9TX23hrAvkPXtQFscBP8PKap1a16jqBMjDyNa9DeLv4KYcaCykS5/qINcMPSBuYtQJo7kHItkNL2MqccfbwcFSjEBsgmk1fRRbYhKsoEbd8MYQkqdkSvIZsgxcXdiLFD0a29PQFa11ohY8Bn0TtFWsxG+UiohY5ooE7lwazlgOGI2HCCKcLoRyGXWObDPt0Inc5ssJdE2Jz4BxtLNwG9BOBh1TNy1cTH+riFxqztqnNgkC0ZbyMjBjOk3Me52rCEgmojlnyLjfAUFwzzY/jxdzBQ1gEiLRPlYIJdk+Xak7IwL9iZfcB2b57YnkogtgrBIl49uN089lhqSiqGJbL1olEN4sXFw7v3Yiam03D3dyCZnkPy5e2AvTMDutPYwn1hcBu4p5WeA9c+WHwUtqpiVk7YLaDHDTkO/aMCOQpYVJqI43LaDzkO+LYiBJQawWwrj+9XHG2/wBOLCxkVdybkCgUSEwbYjiGcOhihh9FIJevgU6Xg5l4xciukHDY/RANFqTurRbx6dCP3JkauaqnNGWAU8mY+3g7T04cpR4rqKiA/kU0uAC+iPdU5VgjnojS3i54DlUgs+XrJHOM0fhBcFCNxtbYnh6KuRP1xlQij3FOeG/kjpGoYgNGPlAE69cBOBmzYxdjLm4m5MzkaMN7M/0nCFUZZcOujFuJyITTHACNi5rsfwAgXr3fr8zVic2I8IHQiUmYPBCY/gTleUFFZ7ZKIopSioCMRinBscBccT5hNIpuis83YKF80YichyD7CjtaJggA6CKM2l9kDYGD8Bl/q1W3dsuvzNrrt1mmWFdf9dLbYGn1u08Azss+zfictyN7HM+AgKamnZBliA/36oQVUz+1VG+rthjzYE/LmRGk57vys57RP2a0nm9PbzXPy6oUbK+G8gk/T5hGuaQHKyHWn7UkoYdSJ5FchWlGIrQthCw8euAxyx621T+3uJ9ta3+02pzeZitbkdOepeYPxthkO5mZnvBYIOwiDL3d2b7fOTh517dxBizI3uX3lotVSPY4A2SLHGwHy5W7H77YvWazWBsdZst3kozyqBIl5xnaQH0fdjjHnNtiMjVJvU9B6duromTuVnmcF6Ll4Ai8J7liSkYPhvza64LaWkhRJrU4bvDo3gnl7rQGyYV8msoT89eR3336LXrw/P71+ic6p0pTPKqrmkNtU+CAWJmYieV2gTZ4wGy07dTj8MtsvjkSMSZHYqrgp/9OsaghBc2KsRT5a0+fHHBdiw/6bvN+W4c9iCvlMMQ+VSV9HimEWqzpdbyI3OKeVciMgIZGiBWVYOvFkxKY5Q8Te6+H0KnvOFc2PWWmkHSn/0WyE2orYq4u5PuTp8ixO+aazbt0aPtOwZf/1RiL7yWAveMMNtNIy8rApU8iUgQEDl41ltZAzzOnnDVHVPN1W2JXZe3C6vadG2D2lMphLmqjqz49mOHtbuBJfrnZRJ6r5J8BMzwmWgEoJuSgox8GEu5Z4usaaAtdqa3g8w8ec7Xv8pJN1pR+hTLRxzdH52giuEkttiyGtp7pZrB6x2JEXNrtI1CnkILGGPIsWVLZhfxjh82M9YuM8u5ZiQfOmeJj/Hi5L5jXVwcbwxX/MtdbVacMKznqSND/SLJshfa0/vRqZZrB5qI2cXFDnPZ/3FfeREnCN0hmzKfhjNU94sDpT60etTOhZYKJOR7UaK1ZIaSGdxDfUCtDYjva1/daJ+dbX4dkXNM8ZHE/KXdnxdpVzgeVtyb295FzdHuM40732o7UqDPFV7Z19hUqGzZKZ+1lIBJzIVTlm5behkEd4T+4QQSebt+VPQml0hcmc8pEnXY4TSY6v+rz+yG2kfynBiA+jH7kiZ+oEvc9xiX6x/3D6US64yzv92/DyRHO8AKM5McASfapArpCtQahKwRXUGlU4OdXMN7O/OY689DXwiKEsaV0Fkrvpu7p84zjrKR0B6noD3fjiqLsitV2e0hrM+nu8Li3dKWJk3ob+4qUKyYrz4DtWvWpuHud5dmWkRnLsPMXMvzDTLwRGS8pzsVRIlUDolBLzyatQnqCPkx0eEDM9h3cdc4Ne2IqwwMn6GrKuy5ctbqGK23v8PcwwWaGPqlv4tvHAFv1E2ujRtWaEIzzYR2779lPLQrG5anaTmRtxwPGmDkAg+7+TaWrTeYbs6047vUI9Vp3XqdeBGdsZBjea/80ekz1OXO/YVH2Erze917Luwk59vArocDbHMdg1DoPu2qwDMt0yDFYoXJBie/KzTRuI2RJwNMPNTjmHKeXeVm+Fk63qV+BypOigRbdXolgibGsDTE/9iy0YG5tt6rn7WkojtSkbG7bWmMyLI5fAX49qGY4Gr6P2ciRp8jKhPF4Hsahnw0zZJhWmvTwDQqqdtmOXxZXRXqf3B7p2DlCnvfu2oC6xrPeU+fOr9VSWczoopY7M6TBvWRf8vtP0dPSeJa6shZCrdAv+B1Vi/setFWNqIN0q6rV6HrqaDFv+8NpS3zK3J1OJBrOq661vntXoLsiAaynKfURHLqrJwLiw0x73Y5rXNmxJR7AYXXbHcc/hmShKzFfNebTHzrbTd++VBUhzDWWUT0VYKcDqPnWO0Bb50XtF1siWkLYq+vRTqhiBHyvGVugvFWZ0SiFH5zbv2RkHg1CWMMmIEPf0iZzuv8IEufHX72fMxrT56NVm1+7wstJW5d6zhen2s37TDOG77HhztLPJn6C7VemmvrYcGOa4FRxfPAnTLGox2R5sg8EZIuTXKlS2tg/mGKa6RrnsonOWxVLI2tpvXcw370eWvFUrJ/J2qnlRpu1DtIEVZuStlvsaphQikSbSBWXGMeuBSqzDpknCM6xievtbhKVPp49MuZIs4jK3qEZcleYxmlUyljWkRVOBzPAs3ptyTTr69dQlHTX8sUva7/oEggUeNHCrWsV/nBj60XZzo+jNJfRCZWJrVG6IY+QSdmTunR3Wqlev/X+feQiv/X/4uKaQ2R8zkOHoPD+dJ/Seu8m0nefW4tpqtTaYTu4bopknFeVTkHLE7zqc91Hm1Vb8t7I+aJ49Asi6LvG0tQyBI2Xd2iLpkQoMcbTtd+H89mbb3dkIYtn+07/DMEBrvOEnLecgj2OPMDq7j3h6cWZbP75EZ3b8MDSQ+kjFUkb4fAbSN/+EThTmhuK8kNR13GJka8HNoF+rVqXojStNP+9rlXx8aZTwaqNb+jlsraH3iWTK5b9fIA4zoalbwHKO1UgHKEWOXVaotZRu8PHmgmapk3WAGgS49PZYXTi9zr8JB6QoOjtGRkW3vlHT9fButNGykSZUqSq60mkp22CpdNa6w3woFiFImdQGOliUtvS8MIOjW+uc3iSdjhIh0VQG917kF7c2tHPzZdSSnvuBfLz03IBxXIQqxbJFyhu971L1huwgmDwzWw9X0cs0qlSE6T34F3Wi4gZfrduVtC8kK1u/R8r664REl7en/351ja7NPYV+5iPdV9ZoE2VS74P2binCaK0YInMg92ovI/JuQjhtDbJQ07mmXmdTIsyGgfoWhGspuEHLBUkHRSGfQMl1OJqqIKOPBotZY10drcNnG+UCM5q7jRgA0ReER6tqvUkQWo7dw0r1xXaknV8HkEamPde6VBm1PWiTkLZLmYIhBD+D00RnvM58EZLq1ZYTRURRJK0TtyNuh8MbhMIp+EsqgfVfmrFNLEuGeabUUzW8NSM7Gf6rn22doxVE61KNs1LQY4RVhwA7BMgisKDCrwHLVjLHnA8KZ6QuN+VHtUBGfLZHKtvcXCy+5+Gv708/+HvvdW/45kLRQvZt/9FrtlF1ny0Eq1Ix4LTu48x9n5umM3bdzrfiVCv0woFQL221DpvYW3fU7ZFHFnRwNqxKJM3ee6wfOdU+XOCkm3SwAGkjBaYVQ0RwAqU2D+Vbt4Yj5RWWy5TS1zHePNjrFtoGaCmkRsLw96c/nYZCcINsj73vhJwdP8Cyn2DQMbFOsCt2EiwU8+eLn68vr9EVfigoz5u23uFlNXM7ehhmp4niyLT8NAaz2zStRn0KpyxGD892WY7Z9HgJm0+dhF9PObna0TGWeal8ee6r9HoUGxGy4y3KE9cKqGdc/JfPG24Sc3g+1CRjn25rLzFP6CeKbvTtqu0rvnHqFi659xVSVSBEHSv0B6Wl4LM/Thgm94wqDfkfXvu/vWo+pXwKJPzRlEpYYhZUZPCEtX6DMM+REmhkW0qYUaXlyrzsjyksSqznvlh/gwH1MQxAWqPUsWC6RGiXr0WEbFUhb/TJBjlw3YpJadRtUc6FOnloPzbCm9w8zrCCd2gCuv3s70DsRuRfibxiYA9xiaVyXSrNeA8zpFaKiVn70t2osUOgyv3OjPvjcA926YXHHJ5YH2Y7/GDLcOfm5L1YrVarb4rimzx/uc79dIWABbGnNN+MSNMCAu2qD+DDHS0AvZjP3xXFO6X2hOWYGXpPHoDsSuTQbl+0bi+8E5iBXnEAlNuuvXZ3LEzMogL56NSXN2/NE19iokEq18f4xbdvzP+/ebkdUMBrfMgG8rX13H6Bk9kJqgW/+9t2QEQUpeDDwM0DUJ3VJOvyDnTi5RATs5mRQxbpjzVSWbEdllJVk7jMu60mrtRLzcDNGOaTzD1I4iH4CbDUE8C6b+MPK4iSWgtrzKO1AGuzZbAAZs+WxNMpJZuBBL0ihxwspmlhjcmWcAsH+uc//jc6ZUwszYNSonPgdKs8rGSoTtNuhr3A5VFJPKG2/XQL1wsFRPBcbTnx02VmNveYGAqXIdoCqDk2N+Z2vzx3eY7WIuTbBfmX905raQO3494dQ5LjIw91+YOG/rMh58x+WnjGNHU9J2BWf8sho4PKOgfAueTa9Vs9ra3WjJKVWbN9loqWKnMUou6ny+vbA4F5UHGl87WDZAV0Dco/B3YChctySpkGmYJnp+tycOhHO0rNwn341youl3UwfwGA4y14G+J26dHmWVzxtT8O2fcRHITjhqp7fzG3XRhj1Qi3otNA5lwwMYuoQNw1NJuo+n2gjeRsRFpEqoweKtjCVTVQTRylkEitOJlLwelnyB+FvaY4eTbczKjKCBNVxBdPj4tnHerhO4pnY53hD71HDUn7iKCciMIWo3Sy6pV9TrxC10JqdLoZn6h0eoCi0jMxBvBPW3RrSTIaVkEGf94C6ue617L30Vxer+tD7arpS5IVuO9WOoBRfUxXp2d7gbKF0uQqC3Q1P+jhmjcmWj9CV49cc3InZTJXOvpitp2Je6yogfREzOsh34mDdc/+iHqlp9g2KO2660oxSFo7QCfrnwXnJZ+iu7Nra5P/eH69+5omgtZes73xUVKUkV8Hl2dX143xxv1jZyRxt70dnPi9vzsSBVxn5f0gFX1fM8XdoN+8TXS342xGIoEAXUB+DDT1WDvwxjbKTwSnbsK/A2sWRwCyG1dcAb2I+sGdIchsvs1QQwjpMbviiyuLhjCtINoXYMQ7uYVs5FY+BGQyLg5k+uNRKkk+Cw5pnBl+lc0Ateb8/vTDToDigfngM8VbYLZewulY0l6yNl9+3cYXjyo+X/qItsCgMsvpoKnDIZy5tleKrzhABT9B10I5T5Pzy7/75z/+Q8jZP//xn6/QP//xHxJKtqr/8c9//OdmwERw3vUJHYz4wvl0eaMRU4WYmJmHtS0U2+lEOwoqqhnTezSbWE3f1JlzINtNDovocM6akdE6JavASoPcGRXNy/RG8oM8Li2EcQ2XLYzWA0JP4GTwx4OgN6azuA7+xiDXaguzZfxC9TWvKAAKUKpTPz18DhlWyiWSRLWAr3GMjBBWUisGWXzf8LWnaJ81zSbaDKVkWE+F7Oc9HoLCU2yqobhterJlgaLbkw0H1objmv4WGK6Y6lMzw15jMc/r6d21vcxAbz2wUGZVFXPsCx8yij5+3Da2K5wT2Td0dx2iGxZWVnN8Prbclsb2zGySTMwot+mdcVfK0kUduuMnJK7iboZ3QVkduuHhH4BU1g82qIl4OIaadrfeYhAHXqTRS64wW2IJSBHsGpZE00emUhSZ67+BA1WBDoyN4jnIbu+GLQJHpMJyA0aQgJF7j8ATLit1iPC1Y/fJBsc23wzkgR+ggQ8ohh8lVMaMTLPkdogCmOpQWc0DBv7x7tpWSbUV99wZcViWWKFcLDkTON/2XjSomvdxPGznNUkj4A1Qa7OagnyHPpYGl43U8xi3IKQM4m6TW/q519BgjrXtoYJtNaHuBhkFFVcSX2M974DyeIww3BFQXJH8Y92BA2GlBKHWLli3rN8lGHaqSyKKAvOIup3ZSp6oz6KYA29t+6mo+Jb9FPUMHnz+XF3puCvnq7kfhOtThSXmut9d8PAtblau3qyd/b4ecZvrR5IsBdv8be5I7yDQc6WT4Lhxrp5HIJGAVUzpfWPpoeV85VOriJC52z6gbTaZbX1a4uJ1gRklVGwTT+EyxwdB7BIM75QSF4HuLYftkhIX6HQHK6NRRmI+a3v0tpzaLPae+EtDur/dwqy3YfqR/ei3Lva/QzQ4uliAlDSHTIv7QX+7Q0KTPF3UpRvEQMQzMsQ3DPE1eD7HPIsNVwLEw68gowy6gxnzhNytybacA6e/2FflFgtYZbXSzLbJifvM9/quUzS3PvTbOOJeK20c26+UudZl3aV29BA/PrihDoL56e7uGg264IY5YnNAjpwAsqPxOFGqXlM/z7Zt9RCXMFFUA5pixrbFFHolL8V2rh9tu25oeCBgiUV8cr+nSjdhhLaOohmGVbmL3l7CpDXstqUUXEc37dUL6eIc7QA7yue4Z76RzDskKRBNF1Sv4gL4FSZNEokfwL22C6zJ3OiRPEcEu6IIc6i/K22r6i0r193lsZ9Q7V2+gyF/jt8Mi3keour8dPoG1TVC661ENRRoAraWHsds9XnbU6kA66qM6oq9cjS3+nWMahJz3I7nf6dpR5/zFknnmjynsaje7mJRtQchrlnKWoG2+wVypYMdsg45gi2H0XmX9vjk4xoK7eRvtxqUW+ps1JPW1Wc3Y/DaQVTJ3SE4zvP4Zsft8tY3vM5KCVP6EFXImMsaXXfphmU+1ZAgLe3WKHlnfbIbuaCqaXwuPGh026UbPvnUblAsY7sEzxvCNqBwu/YS09rhAvF2MfPEdUl/3OqIrtfcKlDxl/yqQ3ZkxdO5i7ascqXnGWGDgnCHucArPUdnXaLjoxdA5phTFVHVswCGdEeVKsepuIftLEw3iMF1xOSgl0JGzGUOkw0iYIJgNsMaljii4H0fojo+fnQGvA9R3bIL4j5bz8J0gxgEy0OF3g97rg5pBsfmsIw+9ochzeDYtIweunE5IBledSujsroObvwQEicEm0K7u0WQeFRjfX8Oh2Mo7+IDw8ssx7pf7v4QFxNeog7F4LhXUT0cV1tdG76tYtzqaX2S4ZE1llrTkSV+fMm92wG9DddNrHysG0sNtaoNBwc1sJTGg8ap+851SC847O1KvRez7Pbi5peLm+zD6dVFxFW2tJGjjTq0g1gmmNxXZVZE3d9/skRRsX2bhxprHjL7Lr2RoyUXMZX52y694JiBJvUHjPhTm9rIaXI+l9Fz/Hifzk2I5IjeEmjRfMB0e/SCY9pm72rYcO2ggUNEg6PDg5YRr6QuueCI1z9d317c3rbsRQePOiQ5fj9ksS8ItH1budjseOO6x/8uN1Me1d53c3G+1c43kZiTeWRN60+W6A5mlqo03Mwj3cVDamGNO2eQkbIKjjllYtDnbMuwhh76l3/ZsplXSkMRc1hHcQt/FcgnGDNilEqHWng8TiPeeB1qYVVOaMyyAooxK+1+ufK2SsNVl2pw/KmEiC6JDrXwfCXmqqBaQ25bnUZ8ILZIox7tEQHpilbExlHTfRSI+wmNVrukAdAlum09YkJor8XjUORSlClQdOluXIuYEJq12GF8IhijajQYZZ94pgHB8B0Wv57ckGRw5DPBp3S2qd7xHvdKmGhwfHQDpZAj236PoYcEg8M2edKxxh0SDI57ByM2gz2G7NAa1RciytUuubBeNGxDeMCAHWrB8WKWWsZbuOlMmSqzRSviTtSTblnud5i7+sRoPAh3NpLflfe5/cv7S0RwNZtrNHFB/r+e/rgZzUNMU3MbzF9vbx+LBfQcZOzgyzk4uhw0mkobHmoG+D8BAAD//4kNiE8=" } diff --git a/x-pack/filebeat/module/sophos/xg/_meta/fields.yml b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml index 47c90ce9967..d5716542bfa 100644 --- a/x-pack/filebeat/module/sophos/xg/_meta/fields.yml +++ b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml @@ -943,3 +943,8 @@ type: keyword description: > The related XSS caught by the WAF + + - name: ether_type + type: keyword + description: > + The ethernet frame type diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml index 3e1a5f518c2..2db7a8ad849 100644 --- a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -6,7 +6,7 @@ processors: - grok: field: message patterns: - - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + - '%{SYSLOG5424PRI}(%{SYSLOGTIMESTAMP} %{NOTSPACE} )?%{GREEDYDATA:log.original}$' # optimize fields / strings in log.original for KV processor - gsub: @@ -17,7 +17,7 @@ processors: # split Sophos-XG fields - kv: field: log.original - field_split: " (?=[a-zA-Z0-9\\_\\-]+=)" + field_split: " (?=[a-zA-Z0-9_]+=)" value_split: "=" prefix: "sophos.xg." ignore_missing: true @@ -248,6 +248,10 @@ processors: - sophos.xg.dir_disp - sophos.xg.srczone - sophos.xg.dstzone + - sophos.xg.log_occurrence + - sophos.xg.nat_rule_id + - sophos.xg.in_display_interface + - sophos.xg.out_display_interface - syslog5424_pri ignore_missing: true diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log index 920661cc9c2..cd1e2f6bb94 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log @@ -18,4 +18,5 @@ <30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" <30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 <30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 - +<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.2.3.4 src_country_code=ESP dst_ip=4.3.2.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=2.4.6.8 tran_src_port=0 tran_dst_ip=8.6.4.2 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index deb91f6a5a3..569f5b225b6 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -1784,5 +1784,205 @@ "forwarded", "sophos-xg" ] + }, + { + "@timestamp": "2021-02-11T13:12:45.000-02:00", + "client.bytes": 0, + "client.ip": "1.2.3.4", + "client.mac": "11:22:33:44:55:66", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 33370, + "destination.bytes": 0, + "destination.ip": "4.3.2.1", + "destination.mac": "66:55:44:33:22:11", + "destination.nat.ip": "8.6.4.2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2021-02-11T13:12:45.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2021-02-11 time=13:12:45 timezone=\"CET\" device_name=\"XG210\" device_id=dem-dev log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2.109\" in_display_interface=\"CD21-IPs_WAN\" out_interface=\"Port5.200\" out_display_interface=\"Port5\" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.2.3.4 src_country_code=ESP dst_ip=4.3.2.1 dst_country_code=GB protocol=\"TCP\" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=2.4.6.8 tran_src_port=0 tran_dst_ip=8.6.4.2 tran_dst_port=0 srczonetype=\"WAN\" srczone=\"WAN\" dstzonetype=\"DMZ\" dstzone=\"Zone 9\" dir_disp=\"\" connevent=\"Start\" connid=\"3933925696\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2021-02-11T13:12:45.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection", + "start" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 17898, + "network.bytes": 0, + "network.direction": "inbound", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port5.200", + "observer.egress.zone": "DMZ", + "observer.ingress.interface.name": "Port2.109", + "observer.ingress.zone": "WAN", + "observer.product": "XG", + "observer.serial_number": "dem-dev", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], + "related.ip": [ + "1.2.3.4", + "2.4.6.8", + "4.3.2.1", + "8.6.4.2" + ], + "rule.id": "9", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "4.3.2.1", + "server.mac": "66:55:44:33:22:11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "3933925696", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG210", + "sophos.xg.dst_country_code": "GB", + "sophos.xg.ether_type": "Unknown (0x0000)", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "ESP", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "1.2.3.4", + "source.mac": "11:22:33:44:55:66", + "source.nat.ip": "2.4.6.8", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 33370, + "tags": [ + "forwarded", + "sophos-xg" + ] + }, + { + "@timestamp": "2020-06-05T03:45:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.30", + "client.mac": "00:50:56:99:51:94", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 45294, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.mac": "00:50:56:99:3D:AC", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-06-05T03:45:23.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-06-05 time=03:45:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name=\"\" user_gp=\"\" iap=13 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" vlan_id=\"\" ether_type=Unknown (0x0000) bridge_name=\"\" bridge_display_name=\"\" in_interface=\"Port2\" in_display_interface=\"Port2\" out_interface=\"Port1\" out_display_interface=\"Port1\" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"2674291981\" vconnid=\"\" hb_health=\"No Heartbeat\"message=\"\" appresolvedby=\"Signature\" app_is_cloud=0 log_occurrence=1", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-06-05T03:45:23.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection", + "start" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 19045, + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port2", + "observer.ingress.zone": "LAN", + "observer.product": "XG", + "observer.serial_number": "SFDemo-ta-vm-55", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "firewall.localgroup.local" + ], + "related.ip": [ + "10.146.13.30", + "10.8.13.110", + "10.8.142.181" + ], + "rule.id": "5", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.mac": "00:50:56:99:3D:AC", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "2674291981", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.ether_type": "Unknown (0x0000)", + "sophos.xg.hb_health": "No Heartbeat\"message=", + "sophos.xg.iap": "13", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "10.146.13.30", + "source.mac": "00:50:56:99:51:94", + "source.nat.ip": "10.8.13.110", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 45294, + "tags": [ + "forwarded", + "sophos-xg" + ] } ] \ No newline at end of file From 1350a2c2670f3d2c49fe80160d91365ea6e2df04 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 8 Dec 2021 12:36:54 +1030 Subject: [PATCH 2/5] x-pack/filebeat/module/sophos/xg: make test inputs match .editorconfig --- .../module/sophos/xg/test/anti-spam.log | 22 +++++----- .../xg/test/anti-spam.log-expected.json | 20 ++++----- .../module/sophos/xg/test/anti-virus.log | 18 ++++---- .../xg/test/anti-virus.log-expected.json | 14 +++--- x-pack/filebeat/module/sophos/xg/test/atp.log | 10 ++--- .../sophos/xg/test/atp.log-expected.json | 6 +-- .../module/sophos/xg/test/cfilter.log | 20 ++++----- .../sophos/xg/test/cfilter.log-expected.json | 16 +++---- .../filebeat/module/sophos/xg/test/event.log | 40 ++++++++--------- .../sophos/xg/test/event.log-expected.json | 36 +++++++-------- .../module/sophos/xg/test/firewall.log | 44 +++++++++---------- .../sophos/xg/test/firewall.log-expected.json | 42 +++++++++--------- x-pack/filebeat/module/sophos/xg/test/idp.log | 12 ++--- .../sophos/xg/test/idp.log-expected.json | 8 ++-- .../module/sophos/xg/test/sandbox.log | 12 ++--- .../sophos/xg/test/sandbox.log-expected.json | 10 ++--- x-pack/filebeat/module/sophos/xg/test/waf.log | 10 ++--- .../sophos/xg/test/waf.log-expected.json | 8 ++-- 18 files changed, 174 insertions(+), 174 deletions(-) diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log index 5480251c504..f16aee76434 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log @@ -1,11 +1,11 @@ -<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=67.43.156.14 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" -<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" -<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" -<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" -<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 -<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=67.43.156.14 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 04f1bad3aac..d01fd9f6f6a 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -91,7 +91,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 748, + "log.offset": 747, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -172,7 +172,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", - "log.offset": 1541, + "log.offset": 1539, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -249,7 +249,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", - "log.offset": 2295, + "log.offset": 2292, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -326,7 +326,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 3125, + "log.offset": 3121, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", @@ -397,7 +397,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 3854, + "log.offset": 3849, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -468,7 +468,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 4629, + "log.offset": 4623, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -537,7 +537,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 5391, + "log.offset": 5384, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -607,7 +607,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 6145, + "log.offset": 6137, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -674,7 +674,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 6742, + "log.offset": 6733, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -744,7 +744,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 7447, + "log.offset": 7437, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log index 22ff5a6791f..e5271e5d2f4 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log @@ -1,9 +1,9 @@ -<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=1.128.3.4 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=216.160.83.61 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" -<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" -<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 -<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 - +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=1.128.3.4 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=216.160.83.61 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index 70d803619d1..ffbbcf87eb7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -104,7 +104,7 @@ "http.response.status_code": 403, "input.type": "log", "log.level": "critical", - "log.offset": 673, + "log.offset": 672, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -178,7 +178,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "critical", - "log.offset": 1340, + "log.offset": 1338, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -254,7 +254,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "critical", - "log.offset": 2113, + "log.offset": 2110, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -337,7 +337,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 2862, + "log.offset": 2858, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -411,7 +411,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 3578, + "log.offset": 3573, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", @@ -487,7 +487,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 4304, + "log.offset": 4298, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", @@ -557,7 +557,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 4954, + "log.offset": 4947, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-2df0960", diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log b/x-pack/filebeat/module/sophos/xg/test/atp.log index 10f65b6bd5a..31508520576 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log @@ -1,5 +1,5 @@ -<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" -<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" - +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 8bfa784dcae..16b796d1d50 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -92,7 +92,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", - "log.offset": 489, + "log.offset": 488, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -157,7 +157,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", - "log.offset": 991, + "log.offset": 989, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -222,7 +222,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", - "log.offset": 1493, + "log.offset": 1490, "network.transport": "icmp", "observer.product": "XG", "observer.serial_number": "C30006T22TGR89B", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log b/x-pack/filebeat/module/sophos/xg/test/cfilter.log index 2cbc3304fe3..03f021b9008 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log @@ -1,10 +1,10 @@ -<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" -<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=216.160.83.57 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" -<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=216.160.83.57 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" -<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=1.128.3.4 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" -<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " -<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" -<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" - +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=216.160.83.57 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=216.160.83.57 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=1.128.3.4 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 6169a070cd5..9bc411835c7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -97,7 +97,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 654, + "log.offset": 653, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "S110000E28BA631", @@ -173,7 +173,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 1229, + "log.offset": 1227, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "S110016E28BA631", @@ -249,7 +249,7 @@ "http.response.status_code": "400", "input.type": "log", "log.level": "informational", - "log.offset": 1867, + "log.offset": 1864, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -319,7 +319,7 @@ "http.response.status_code": "200", "input.type": "log", "log.level": "informational", - "log.offset": 2762, + "log.offset": 2758, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -387,7 +387,7 @@ "http.response.status_code": "304", "input.type": "log", "log.level": "informational", - "log.offset": 3571, + "log.offset": 3566, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -452,7 +452,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "alert", - "log.offset": 4703, + "log.offset": 4697, "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -513,7 +513,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 5265, + "log.offset": 5258, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "C01001K234RXPA1", @@ -584,7 +584,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 5880, + "log.offset": 5872, "network.transport": "tcp", "observer.product": "XG", "observer.serial_number": "C01001K234RXPA1", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log b/x-pack/filebeat/module/sophos/xg/test/event.log index 8ec039f86e2..80fe35ee11f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log +++ b/x-pack/filebeat/module/sophos/xg/test/event.log @@ -1,20 +1,20 @@ -<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= -<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=89.160.20.112 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)" -<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" -<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=67.43.156.13 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= -<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." -<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" -<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=81.2.69.145 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= -<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 -<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=1.128.3.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= -<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." -<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" -<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=175.16.199.1 message="User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials" -<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." -<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." -<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 -<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" -<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" -<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" -<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." - +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=89.160.20.112 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=67.43.156.13 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=81.2.69.145 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=1.128.3.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=175.16.199.1 message="User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 179a156aaf5..26d15e9a785 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -73,7 +73,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", - "log.offset": 597, + "log.offset": 596, "message": "location-1 - IKE message retransmission timed out (Remote: 89.160.20.112)", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -133,7 +133,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "error", - "log.offset": 1134, + "log.offset": 1132, "message": "IKE_SA timed out before it could be established", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -179,7 +179,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 1554, + "log.offset": 1551, "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -238,7 +238,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", - "log.offset": 2081, + "log.offset": 2077, "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -276,7 +276,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 2429, + "log.offset": 2424, "message": "Lease 192.168.110.10 expired", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -323,7 +323,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 2803, + "log.offset": 2797, "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -379,7 +379,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 3330, + "log.offset": 3323, "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -431,7 +431,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", - "log.offset": 3829, + "log.offset": 3821, "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -480,7 +480,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", - "log.offset": 4341, + "log.offset": 4332, "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -519,7 +519,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 4669, + "log.offset": 4659, "message": "SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -566,7 +566,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", - "log.offset": 5064, + "log.offset": 5053, "message": "User 'root' failed to login from '175.16.199.1' using ssh because of wrong credentials", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -618,7 +618,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "notification", - "log.offset": 5418, + "log.offset": 5406, "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -656,7 +656,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 5742, + "log.offset": 5729, "message": "Scheduled backup to appliance is successful.", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -705,7 +705,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 6040, + "log.offset": 6026, "message": "User elastic.user@elastic.test.com was logged out of firewall", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -761,7 +761,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 6638, + "log.offset": 6623, "message": "A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", @@ -807,7 +807,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 7067, + "log.offset": 7051, "message": "A350196C47072B0/Gaurav Patel is now disconnected", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", @@ -853,7 +853,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 7486, + "log.offset": 7469, "message": "A350196C47072B0/NY transfered bytes TX: 0 RX: 0", "observer.product": "XG", "observer.serial_number": "S1601E1F9FCB7EE", @@ -894,7 +894,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "notification", - "log.offset": 7881, + "log.offset": 7863, "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", "observer.product": "XG", "observer.serial_number": "S4000806149EE49", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log index cd1e2f6bb94..1abc96cc522 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log @@ -1,22 +1,22 @@ -<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=1.128.3.4 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=67.43.156.12 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=67.43.156.12 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" -<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" -<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" -<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" -<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" -<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" -<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" -<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" -<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 -<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.2.3.4 src_country_code=ESP dst_ip=4.3.2.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=2.4.6.8 tran_src_port=0 tran_dst_ip=8.6.4.2 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 -<01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=1.128.3.4 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=67.43.156.12 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=67.43.156.12 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=175.16.199.1 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<01>Feb 11 13:12:45 _gateway device="SFW" date=2021-02-11 time=13:12:45 timezone="CET" device_name="XG210" device_id=dem-dev log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=9 nat_rule_id=16 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2.109" in_display_interface="CD21-IPs_WAN" out_interface="Port5.200" out_display_interface="Port5" src_mac=11:22:33:44:55:66 dst_mac=66:55:44:33:22:11 src_ip=1.2.3.4 src_country_code=ESP dst_ip=4.3.2.1 dst_country_code=GB protocol="TCP" src_port=33370 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=2.4.6.8 tran_src_port=0 tran_dst_ip=8.6.4.2 tran_dst_port=0 srczonetype="WAN" srczone="WAN" dstzonetype="DMZ" dstzone="Zone 9" dir_disp="" connevent="Start" connid="3933925696" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<01>device="SFW" date=2020-06-05 time=03:45:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-ta-vm-55 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=5 nat_rule_id=2 policy_type=1 user_name="" user_gp="" iap=13 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=Unknown (0x0000) bridge_name="" bridge_display_name="" in_interface="Port2" in_display_interface="Port2" out_interface="Port1" out_display_interface="Port1" src_mac=00:50:56:99:51:94 dst_mac=00:50:56:99:3D:AC src_ip=10.146.13.30 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=45294 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=10.8.13.110 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="2674291981" vconnid="" hb_health="No Heartbeat"message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index 569f5b225b6..d6bb070314e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -138,7 +138,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 983, + "log.offset": 982, "network.bytes": 0, "network.direction": "outbound", "network.packets": 0, @@ -243,7 +243,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 1971, + "log.offset": 1969, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -329,7 +329,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 2867, + "log.offset": 2864, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -420,7 +420,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 3780, + "log.offset": 3776, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -512,7 +512,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 4672, + "log.offset": 4667, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -605,7 +605,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", - "log.offset": 5606, + "log.offset": 5600, "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -690,7 +690,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 6490, + "log.offset": 6483, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -776,7 +776,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "informational", - "log.offset": 7358, + "log.offset": 7350, "network.bytes": 0, "network.direction": "internal", "network.packets": 0, @@ -874,7 +874,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "notification", - "log.offset": 8333, + "log.offset": 8324, "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -962,7 +962,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "informational", - "log.offset": 9254, + "log.offset": 9244, "network.bytes": 3534, "network.packets": 12, "network.transport": "tcp", @@ -1060,7 +1060,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 10194, + "log.offset": 10183, "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1143,7 +1143,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 11059, + "log.offset": 11047, "network.bytes": 0, "network.packets": 0, "network.transport": "0", @@ -1225,7 +1225,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 11887, + "log.offset": 11874, "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1311,7 +1311,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 12757, + "log.offset": 12743, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -1393,7 +1393,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 13613, + "log.offset": 13598, "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1484,7 +1484,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 14455, + "log.offset": 14439, "network.bytes": 0, "network.packets": 0, "network.transport": "tcp", @@ -1567,7 +1567,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 15294, + "log.offset": 15277, "network.bytes": 0, "network.packets": 0, "network.transport": "udp", @@ -1650,7 +1650,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 16166, + "log.offset": 16148, "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1735,7 +1735,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 17032, + "log.offset": 17013, "network.bytes": 0, "network.packets": 0, "network.transport": "icmp", @@ -1824,7 +1824,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 17898, + "log.offset": 17878, "network.bytes": 0, "network.direction": "inbound", "network.packets": 0, @@ -1925,7 +1925,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 19045, + "log.offset": 19024, "network.bytes": 0, "network.direction": "outbound", "network.packets": 0, diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log b/x-pack/filebeat/module/sophos/xg/test/idp.log index 818b057ba8f..57d9e84066d 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log @@ -1,6 +1,6 @@ -<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=67.43.156.12 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=89.160.20.156 src_country_code=CHN dst_ip=67.43.156.12 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" -<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=67.43.156.12 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" -<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" -<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" - +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=67.43.156.12 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=89.160.20.156 src_country_code=CHN dst_ip=67.43.156.12 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=67.43.156.12 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index de3cb1b3111..2bfe7cdce63 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -106,7 +106,7 @@ "host.name": "my_fancy_host", "input.type": "log", "log.level": "warning", - "log.offset": 645, + "log.offset": 644, "network.transport": "UDP", "observer.product": "XG", "observer.serial_number": "1234567890123456", @@ -184,7 +184,7 @@ "host.name": "some_other_host.local", "input.type": "log", "log.level": "warning", - "log.offset": 1242, + "log.offset": 1240, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "1234567890123457", @@ -258,7 +258,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 1855, + "log.offset": 1852, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-f64dd6be", @@ -326,7 +326,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "warning", - "log.offset": 2432, + "log.offset": 2428, "network.transport": "TCP", "observer.product": "XG", "observer.serial_number": "SFDemo-f64dd6be", diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log b/x-pack/filebeat/module/sophos/xg/test/sandbox.log index bd64715de04..097b999d89c 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log @@ -1,6 +1,6 @@ -<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" -<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" -<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" -<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" -<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" -<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index a112d1dc23e..21f888b9327 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -72,7 +72,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 343, + "log.offset": 342, "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -131,7 +131,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 809, + "log.offset": 807, "observer.product": "XG", "observer.serial_number": "C44313350024-P29PUA", "observer.type": "firewall", @@ -179,7 +179,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "informational", - "log.offset": 1151, + "log.offset": 1148, "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -241,7 +241,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 1599, + "log.offset": 1595, "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", @@ -303,7 +303,7 @@ "host.name": "firewall.localgroup.local", "input.type": "log", "log.level": "critical", - "log.offset": 2050, + "log.offset": 2045, "observer.product": "XG", "observer.serial_number": "C44310050024-P29PUA", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log b/x-pack/filebeat/module/sophos/xg/test/waf.log index ed60311864f..2f99b3b9388 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log @@ -1,5 +1,5 @@ -<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 -<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 -<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 -<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 -<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=89.160.20.112 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=89.160.20.112 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=216.160.83.61 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=216.160.83.61 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=89.160.20.112 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=89.160.20.112 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index 9ed26bd14d0..0408fb4ab4e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -102,7 +102,7 @@ "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", - "log.offset": 993, + "log.offset": 992, "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -179,7 +179,7 @@ "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", - "log.offset": 2004, + "log.offset": 2002, "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", @@ -252,7 +252,7 @@ "http.version": "HTTP/1.1", "input.type": "log", "log.level": "informational", - "log.offset": 2640, + "log.offset": 2637, "observer.product": "XG", "observer.serial_number": "1234567890123456", "observer.type": "firewall", @@ -327,7 +327,7 @@ "http.version": "HTTP/1.0", "input.type": "log", "log.level": "informational", - "log.offset": 3453, + "log.offset": 3449, "observer.product": "XG", "observer.serial_number": "1234567890123457", "observer.type": "firewall", From a0ea0c0b5821627ef398ffea27a6003223d76f6c Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 4 Jan 2022 10:17:32 +1030 Subject: [PATCH 3/5] make update --- NOTICE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTICE.txt b/NOTICE.txt index 148e4680e06..7853a149231 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Elastic Beats -Copyright 2014-2021 Elasticsearch BV +Copyright 2014-2022 Elasticsearch BV This product includes software developed by The Apache Software Foundation (http://www.apache.org/). From d8921fc3f23c660474b6e3e1b303057f8ac59700 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 4 Jan 2022 12:40:25 +1030 Subject: [PATCH 4/5] regenerate golden files --- .../xg/test/anti-spam.log-expected.json | 11 ---------- .../xg/test/anti-virus.log-expected.json | 8 ------- .../sophos/xg/test/atp.log-expected.json | 4 ---- .../sophos/xg/test/cfilter.log-expected.json | 9 -------- .../sophos/xg/test/event.log-expected.json | 19 ---------------- .../sophos/xg/test/firewall.log-expected.json | 22 ------------------- .../sophos/xg/test/idp.log-expected.json | 5 ----- .../sophos/xg/test/sandbox.log-expected.json | 6 ----- .../xg/test/system-health.log-expected.json | 5 ----- .../sophos/xg/test/waf.log-expected.json | 5 ----- .../sophos/xg/test/wifi.log-expected.json | 2 -- 11 files changed, 96 deletions(-) diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index d01fd9f6f6a..3a12b85cdc7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:48.000-02:00", "client.bytes": 0, "client.port": 0, "destination.bytes": 0, @@ -63,7 +62,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:49.000-02:00", "client.bytes": 0, "client.ip": "89.160.20.156", "client.port": 52742, @@ -142,7 +140,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:50.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.port": 51789, @@ -219,7 +216,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:51.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.14", "client.port": 55002, @@ -296,7 +292,6 @@ ] }, { - "@timestamp": "2017-01-31T18:34:41.000-02:00", "client.bytes": 0, "client.ip": "10.198.47.71", "client.port": 22420, @@ -367,7 +362,6 @@ ] }, { - "@timestamp": "2018-06-06T11:10:11.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 58043, @@ -438,7 +432,6 @@ ] }, { - "@timestamp": "2018-06-06T12:50:07.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60134, @@ -509,7 +502,6 @@ ] }, { - "@timestamp": "2018-06-06T12:51:34.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60298, @@ -578,7 +570,6 @@ ] }, { - "@timestamp": "2018-06-06T12:53:39.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60392, @@ -644,7 +635,6 @@ ] }, { - "@timestamp": "2018-06-06T12:56:53.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60608, @@ -714,7 +704,6 @@ ] }, { - "@timestamp": "2017-01-31T18:31:11.000-02:00", "client.bytes": 0, "client.ip": "10.198.47.71", "client.port": 22333, diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index ffbbcf87eb7..e21ac56d23d 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:33.000-02:00", "client.bytes": 550, "client.ip": "172.16.34.24", "client.port": 57695, @@ -74,7 +73,6 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" }, { - "@timestamp": "2020-05-18T14:38:34.000-02:00", "client.bytes": 541, "client.ip": "172.16.34.24", "client.port": 57835, @@ -148,7 +146,6 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" }, { - "@timestamp": "2020-05-18T14:38:35.000-02:00", "client.bytes": 0, "client.ip": "1.128.3.4", "client.port": 56336, @@ -224,7 +221,6 @@ "url.domain": "farasamed.com" }, { - "@timestamp": "2020-05-18T14:38:36.000-02:00", "client.bytes": 0, "client.ip": "216.160.83.61", "client.port": 54693, @@ -307,7 +303,6 @@ "url.domain": "divella.it" }, { - "@timestamp": "2018-06-06T10:51:29.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 56653, @@ -381,7 +376,6 @@ "url.domain": "postman.local" }, { - "@timestamp": "2018-06-06T10:58:29.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 56632, @@ -455,7 +449,6 @@ "url.domain": "postman.local" }, { - "@timestamp": "2018-06-21T19:50:23.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.49", "client.port": 39910, @@ -527,7 +520,6 @@ ] }, { - "@timestamp": "2018-06-21T19:50:48.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.49", "client.port": 39936, diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 16b796d1d50..61f202c8826 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2017-01-31T18:44:31.000-02:00", "client.ip": "10.198.47.71", "client.port": 22623, "destination.ip": "46.161.30.47", @@ -65,7 +64,6 @@ "url.original": "46.161.30.47" }, { - "@timestamp": "2020-05-18T14:38:34.000-02:00", "client.ip": "172.16.34.24", "client.port": 57579, "destination.ip": "13.226.155.22", @@ -130,7 +128,6 @@ "url.scheme": "http" }, { - "@timestamp": "2020-05-18T14:38:35.000-02:00", "client.ip": "172.16.34.24", "client.port": 57540, "destination.ip": "13.226.155.22", @@ -195,7 +192,6 @@ "url.scheme": "http" }, { - "@timestamp": "2018-06-05T08:49:00.000-02:00", "client.ip": "10.198.32.89", "client.port": 0, "destination.ip": "82.211.30.202", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index 9bc411835c7..aa00ab04538 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2017-01-31T14:03:33.000-02:00", "client.ip": "10.198.47.71", "client.port": 9444, "destination.ip": "182.79.221.19", @@ -70,7 +69,6 @@ "url.scheme": "https" }, { - "@timestamp": "2017-02-01T18:20:21.000-02:00", "client.ip": "216.160.83.57", "client.port": 46719, "destination.ip": "216.58.197.44", @@ -146,7 +144,6 @@ "url.scheme": "http" }, { - "@timestamp": "2017-02-01T18:13:29.000-02:00", "client.ip": "216.160.83.57", "client.port": 49128, "destination.ip": "74.125.130.188", @@ -223,7 +220,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:51.000-02:00", "client.ip": "172.17.34.10", "client.port": 62851, "destination.ip": "13.79.168.201", @@ -291,7 +287,6 @@ "url.scheme": "https" }, { - "@timestamp": "2020-05-18T14:38:52.000-02:00", "client.ip": "172.16.34.15", "client.port": 60471, "destination.ip": "40.90.137.127", @@ -361,7 +356,6 @@ "url.scheme": "https" }, { - "@timestamp": "2020-05-18T14:38:53.000-02:00", "client.ip": "1.128.3.4", "client.port": 65391, "destination.ip": "91.228.167.133", @@ -434,7 +428,6 @@ "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " }, { - "@timestamp": "2016-12-02T18:50:20.000-02:00", "client.ip": "10.108.108.49", "event.action": "alert", "event.category": [ @@ -488,7 +481,6 @@ ] }, { - "@timestamp": "2016-12-02T18:50:20.000-02:00", "client.ip": "192.168.73.220", "client.port": 37832, "destination.ip": "64.233.189.147", @@ -559,7 +551,6 @@ "url.scheme": "http" }, { - "@timestamp": "2016-12-02T18:50:22.000-02:00", "client.ip": "192.168.73.220", "client.port": 46322, "destination.ip": "64.233.188.94", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 26d15e9a785..27e381dabce 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:57.000-02:00", "client.ip": "172.17.35.116", "event.category": [ "authentication" @@ -57,7 +56,6 @@ "user.name": "elastic.user@elastic.test.com" }, { - "@timestamp": "2020-05-18T14:38:58.000-02:00", "client.ip": "89.160.20.112", "destination.as.number": 721, "destination.as.organization.name": "DoD Network Information Center", @@ -121,7 +119,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:59.000-02:00", "event.code": "062511318057", "event.dataset": "sophos.xg", "event.kind": "event", @@ -158,7 +155,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:00.000-02:00", "client.ip": "67.43.156.13", "event.category": [ "authentication" @@ -219,7 +215,6 @@ "user.name": "elastic.user@elastic.test.com" }, { - "@timestamp": "2020-05-18T14:39:01.000-02:00", "event.category": [ "host", "malware" @@ -264,7 +259,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:02.000-02:00", "event.code": "063411660022", "event.dataset": "sophos.xg", "event.kind": "event", @@ -302,7 +296,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:03.000-02:00", "client.ip": "81.2.69.145", "event.category": [ "authentication" @@ -365,7 +358,6 @@ "user.name": "elastic.user@elastic.test.com" }, { - "@timestamp": "2020-05-20T05:47:46.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "062811617824", @@ -414,7 +406,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:05.000-02:00", "client.ip": "1.128.3.4", "event.category": [ "authentication" @@ -468,7 +459,6 @@ "user.name": "hendrikl" }, { - "@timestamp": "2020-05-18T14:39:06.000-02:00", "event.code": "066911518017", "event.dataset": "sophos.xg", "event.kind": "event", @@ -506,7 +496,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:07.000-02:00", "client.ip": "10.83.234.5", "event.code": "062009617502", "event.dataset": "sophos.xg", @@ -552,7 +541,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:08.000-02:00", "client.ip": "175.16.199.1", "event.code": "062109517507", "event.dataset": "sophos.xg", @@ -606,7 +594,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:09.000-02:00", "event.code": "063911517818", "event.dataset": "sophos.xg", "event.kind": "event", @@ -644,7 +631,6 @@ ] }, { - "@timestamp": "2020-05-18T14:39:10.000-02:00", "event.code": "063311617923", "event.dataset": "sophos.xg", "event.kind": "event", @@ -680,7 +666,6 @@ ] }, { - "@timestamp": "2020-06-02T06:29:36.000-02:00", "client.bytes": 0, "client.ip": "10.84.234.38", "destination.bytes": 0, @@ -744,7 +729,6 @@ "user.name": "elastic.user@elastic.test.com" }, { - "@timestamp": "2017-03-16T12:56:01.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "066811618014", @@ -790,7 +774,6 @@ ] }, { - "@timestamp": "2017-03-16T12:53:27.000-02:00", "client.bytes": 22368, "destination.bytes": 31488, "event.code": "066811618015", @@ -836,7 +819,6 @@ ] }, { - "@timestamp": "2017-03-16T12:46:26.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "066811618016", @@ -882,7 +864,6 @@ ] }, { - "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815", "event.dataset": "sophos.xg", "event.kind": "event", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index d6bb070314e..4f2f390525c 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:37.000-02:00", "client.bytes": 459, "client.ip": "1.128.3.4", "client.mac": "00:00:00:00:00:00", @@ -102,7 +101,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:38.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.mac": "00:00:00:00:00:00", @@ -208,7 +206,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:39.000-02:00", "client.bytes": 0, "client.ip": "172.17.35.113", "client.mac": "24:01:c7:07:2b:a2", @@ -295,7 +292,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:40.000-02:00", "client.bytes": 0, "client.ip": "10.82.234.6", "client.nat.port": 0, @@ -385,7 +381,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:41.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.mac": "c4:f7:d5:b5:47:f4", @@ -477,7 +472,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:42.000-02:00", "client.bytes": 0, "client.ip": "172.17.35.101", "client.mac": "24:01:c7:07:2b:a2", @@ -569,7 +563,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:43.000-02:00", "client.bytes": 0, "client.ip": "172.16.36.105", "client.mac": "34:db:fd:83:d8:09", @@ -656,7 +649,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:44.000-02:00", "client.bytes": 0, "client.ip": "10.82.234.9", "client.nat.port": 0, @@ -740,7 +732,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:45.000-02:00", "client.bytes": 0, "client.ip": "10.84.234.7", "client.mac": "00:00:00:00:00:00", @@ -840,7 +831,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:45.000-02:00", "client.bytes": 0, "client.ip": "192.168.1.254", "client.mac": "34:db:fd:83:d8:09", @@ -927,7 +917,6 @@ ] }, { - "@timestamp": "2020-06-05T12:38:53.000-02:00", "client.bytes": 1802, "client.ip": "172.17.35.119", "client.mac": "00:00:00:00:00:00", @@ -1018,7 +1007,6 @@ ] }, { - "@timestamp": "2018-05-30T13:26:37.000-02:00", "client.bytes": 0, "client.ip": "10.198.32.19", "client.nat.port": 0, @@ -1109,7 +1097,6 @@ ] }, { - "@timestamp": "2018-06-04T17:20:24.000-02:00", "client.bytes": 0, "client.ip": "0.0.0.0", "client.nat.port": 0, @@ -1190,7 +1177,6 @@ ] }, { - "@timestamp": "2018-05-30T14:01:32.000-02:00", "client.bytes": 0, "client.ip": "10.198.38.184", "client.mac": "c8:5b:76:ab:72:d3", @@ -1275,7 +1261,6 @@ ] }, { - "@timestamp": "2018-05-30T14:17:17.000-02:00", "client.bytes": 0, "client.ip": "10.198.32.19", "client.mac": "b8:97:5a:5b:0f:fd", @@ -1361,7 +1346,6 @@ ] }, { - "@timestamp": "2018-06-05T14:30:31.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.23", "client.nat.port": 0, @@ -1441,7 +1425,6 @@ ] }, { - "@timestamp": "2018-05-31T17:05:14.000-02:00", "client.bytes": 0, "client.ip": "10.198.12.19", "client.nat.port": 0, @@ -1532,7 +1515,6 @@ ] }, { - "@timestamp": "2018-05-30T15:09:51.000-02:00", "client.bytes": 0, "client.ip": "fe80::59f5:3ce8:c98e:5062", "client.mac": "1e:3a:5a:5b:23:ab", @@ -1617,7 +1599,6 @@ ] }, { - "@timestamp": "2018-06-01T10:57:55.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.57", "client.mac": "08:00:27:4c:49:e3", @@ -1701,7 +1682,6 @@ ] }, { - "@timestamp": "2018-06-01T10:55:41.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.57", "client.mac": "08:00:27:4c:49:e3", @@ -1786,7 +1766,6 @@ ] }, { - "@timestamp": "2021-02-11T13:12:45.000-02:00", "client.bytes": 0, "client.ip": "1.2.3.4", "client.mac": "11:22:33:44:55:66", @@ -1888,7 +1867,6 @@ ] }, { - "@timestamp": "2020-06-05T03:45:23.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.30", "client.mac": "00:50:56:99:51:94", diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 2bfe7cdce63..37b56704bb4 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:54.000-02:00", "client.ip": "67.43.156.12", "client.port": 41528, "destination.ip": "172.16.68.20", @@ -74,7 +73,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:55.000-02:00", "client.ip": "89.160.20.156", "client.port": 58914, "destination.as.number": 35908, @@ -158,7 +156,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:56.000-02:00", "client.ip": "67.43.156.12", "client.port": 59476, "destination.ip": "172.16.68.20", @@ -232,7 +229,6 @@ ] }, { - "@timestamp": "2018-05-23T16:20:34.000-02:00", "client.ip": "10.0.0.168", "client.port": 28938, "destination.ip": "10.1.1.234", @@ -300,7 +296,6 @@ ] }, { - "@timestamp": "2018-05-23T16:16:43.000-02:00", "client.ip": "10.0.1.31", "client.port": 40140, "destination.ip": "10.1.0.115", diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index 21f888b9327..15343c1e3e2 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2017-01-31T14:52:11.000-02:00", "event.action": "Allowed", "event.category": [ "network" @@ -46,7 +45,6 @@ ] }, { - "@timestamp": "2017-01-31T14:52:11.000-02:00", "client.ip": "10.198.47.112", "event.action": "Denied", "event.category": [ @@ -108,7 +106,6 @@ ] }, { - "@timestamp": "2017-01-31T15:28:25.000-02:00", "event.action": "Allowed", "event.category": [ "network" @@ -154,7 +151,6 @@ ] }, { - "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", "event.action": "Pending", "event.category": [ @@ -215,7 +211,6 @@ ] }, { - "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", "event.action": "Denied", "event.category": [ @@ -277,7 +272,6 @@ ] }, { - "@timestamp": "2020-05-18T14:38:36.000-02:00", "client.ip": "172.16.34.24", "event.action": "Denied", "event.category": [ diff --git a/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json index f3f6f6a4597..9af985b4a36 100644 --- a/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127626618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -37,7 +36,6 @@ ] }, { - "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127726618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -75,7 +73,6 @@ ] }, { - "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "123526618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -117,7 +114,6 @@ ] }, { - "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127826618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -155,7 +151,6 @@ ] }, { - "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127926618031", "event.dataset": "sophos.xg", "event.kind": "event", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index 0408fb4ab4e..e944e04898d 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-05-18T14:38:46.000-02:00", "client.bytes": 1419, "client.ip": "216.160.83.61", "destination.bytes": 401, @@ -75,7 +74,6 @@ "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" }, { - "@timestamp": "2020-05-18T14:38:47.000-02:00", "client.bytes": 1774, "client.ip": "216.160.83.61", "destination.bytes": 200, @@ -151,7 +149,6 @@ "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" }, { - "@timestamp": "2020-05-19T17:20:29.000-02:00", "client.bytes": 510, "client.ip": "10.198.235.254", "destination.bytes": 403, @@ -223,7 +220,6 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" }, { - "@timestamp": "2020-05-19T18:03:30.000-02:00", "client.bytes": 715, "client.ip": "10.198.235.254", "destination.bytes": 403, @@ -299,7 +295,6 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" }, { - "@timestamp": "2020-05-20T18:03:31.000-02:00", "client.bytes": 295, "client.ip": "89.160.20.112", "destination.bytes": 403, diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index d934c831d2a..d23e1273de3 100644 --- a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2017-02-01T14:17:35.000-02:00", "event.code": "106025618011", "event.dataset": "sophos.xg", "event.kind": "event", @@ -38,7 +37,6 @@ ] }, { - "@timestamp": "2017-02-01T14:19:47.000-02:00", "event.code": "106025618011", "event.dataset": "sophos.xg", "event.kind": "event", From 3721b6b018a4485d105c5cd8d99de53caa92f636 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 4 Jan 2022 15:21:20 +1030 Subject: [PATCH 5/5] bring cisco asa into the new year --- .../additional_messages.log-expected.json | 36 +++---- .../cisco/asa/test/asa.log-expected.json | 100 ------------------ .../asa/test/hostnames.log-expected.json | 2 - .../cisco/asa/test/not-ip.log-expected.json | 3 - .../cisco/asa/test/sample.log-expected.json | 87 --------------- 5 files changed, 18 insertions(+), 210 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index ca9623da72a..2992f9a237c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -181,12 +181,12 @@ "event.code": 609002, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T17:51:17.000-02:00", + "event.end": "2022-05-05T17:51:17.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "event.severity": 7, - "event.start": "2021-05-05T19:51:17.000Z", + "event.start": "2022-05-05T19:51:17.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -701,12 +701,12 @@ "event.code": 609002, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T18:24:31.000-02:00", + "event.end": "2022-05-05T18:24:31.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "event.severity": 7, - "event.start": "2021-05-05T20:24:31.000Z", + "event.start": "2022-05-05T20:24:31.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -849,13 +849,13 @@ "event.code": 302014, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T18:29:32.000-02:00", + "event.end": "2022-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "event.reason": "TCP Reset-I", "event.severity": 6, - "event.start": "2021-05-05T20:29:32.000Z", + "event.start": "2022-05-05T20:29:32.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -966,12 +966,12 @@ "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T18:29:32.000-02:00", + "event.end": "2022-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "event.severity": 6, - "event.start": "2021-05-05T20:29:32.000Z", + "event.start": "2022-05-05T20:29:32.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -1175,12 +1175,12 @@ "event.code": 302016, "event.dataset": "cisco.asa", "event.duration": 124000000000, - "event.end": "2021-05-05T18:40:50.000-02:00", + "event.end": "2022-05-05T18:40:50.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", "event.severity": 2, - "event.start": "2021-05-05T20:38:46.000Z", + "event.start": "2022-05-05T20:38:46.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -1812,13 +1812,13 @@ "event.code": 302023, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T19:02:58.000-02:00", + "event.end": "2022-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "event.reason": "Cluster flow with CLU closed on owner", "event.severity": 6, - "event.start": "2021-05-05T21:02:58.000Z", + "event.start": "2022-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1868,13 +1868,13 @@ "event.code": 302023, "event.dataset": "cisco.asa", "event.duration": 0, - "event.end": "2021-05-05T19:02:58.000-02:00", + "event.end": "2022-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "event.reason": "Forwarding or redirect flow removed to create director or backup flow", "event.severity": 6, - "event.start": "2021-05-05T21:02:58.000Z", + "event.start": "2022-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -2687,13 +2687,13 @@ "event.code": 302304, "event.dataset": "cisco.asa", "event.duration": 3602000000000, - "event.end": "2021-04-27T04:12:23.000-02:00", + "event.end": "2022-04-27T04:12:23.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout", "event.reason": "Connection timeout", "event.severity": 6, - "event.start": "2021-04-27T05:12:21.000Z", + "event.start": "2022-04-27T05:12:21.000Z", "event.timezone": "-02:00", "event.type": [ "connection", @@ -3228,13 +3228,13 @@ "event.code": 113019, "event.dataset": "cisco.asa", "event.duration": 1936000000000, - "event.end": "2021-04-27T02:03:03.000-02:00", + "event.end": "2022-04-27T02:03:03.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "event.reason": "User Requested", "event.severity": 4, - "event.start": "2021-04-27T03:30:47.000Z", + "event.start": "2022-04-27T03:30:47.000Z", "event.timezone": "-02:00", "event.type": [ "info" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 81c80ebf991..ebd653dfbc0 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -55,7 +54,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11757", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -116,7 +114,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11749", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -178,7 +175,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11748", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -240,7 +236,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11745", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -302,7 +297,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11744", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -364,7 +358,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11742", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -426,7 +419,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11738", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -488,7 +480,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11739", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -550,7 +541,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11731", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -612,7 +602,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11723", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -674,7 +663,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11715", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -736,7 +724,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11711", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -798,7 +785,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11712", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -860,7 +846,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11708", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -922,7 +907,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11746", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -984,7 +968,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11706", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1046,7 +1029,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11702", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1108,7 +1090,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11753", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1170,7 +1151,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1225,7 +1205,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11758", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1286,7 +1265,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11758", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1347,7 +1325,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11759", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1408,7 +1385,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11759", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1469,7 +1445,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1524,7 +1499,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11760", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1585,7 +1559,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1640,7 +1613,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11761", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1701,7 +1673,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11762", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1762,7 +1733,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11763", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1823,7 +1793,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11762", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1884,7 +1853,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11763", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1945,7 +1913,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2000,7 +1967,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11764", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2061,7 +2027,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2116,7 +2081,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11772", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2177,7 +2141,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11773", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2238,7 +2201,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11772", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2299,7 +2261,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11773", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2360,7 +2321,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2415,7 +2375,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11774", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2476,7 +2435,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11775", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2537,7 +2495,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11776", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2598,7 +2555,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11775", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2659,7 +2615,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11776", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2720,7 +2675,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2775,7 +2729,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11777", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2836,7 +2789,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11777", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -2898,7 +2850,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11779", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2959,7 +2910,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11778", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -3020,7 +2970,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11779", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -3081,7 +3030,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3136,7 +3084,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11780", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3197,7 +3144,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3252,7 +3198,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11781", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3313,7 +3258,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3368,7 +3312,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11782", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3429,7 +3372,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11783", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3490,7 +3432,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11783", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -3551,7 +3492,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3606,7 +3546,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11784", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3667,7 +3606,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3722,7 +3660,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11785", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3783,7 +3720,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11786", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3844,7 +3780,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11784", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -3906,7 +3841,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3961,7 +3895,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11787", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -4022,7 +3955,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11786", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -4083,7 +4015,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4138,7 +4069,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11788", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -4199,7 +4129,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4258,7 +4187,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4313,7 +4241,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11797", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.156.80", @@ -4374,7 +4301,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4433,7 +4359,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4492,7 +4417,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4551,7 +4475,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4610,7 +4533,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4669,7 +4591,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4728,7 +4649,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11564", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -4790,7 +4710,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11797", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -4852,7 +4771,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4907,7 +4825,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11798", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.156.80", @@ -4968,7 +4885,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5026,7 +4942,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5084,7 +4999,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5142,7 +5056,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5200,7 +5113,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5258,7 +5170,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5316,7 +5227,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5374,7 +5284,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5432,7 +5341,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5490,7 +5398,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5548,7 +5455,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5606,7 +5512,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5664,7 +5569,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5722,7 +5626,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -5777,7 +5680,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11799", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -5838,7 +5740,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -5893,7 +5794,6 @@ ] }, { - "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11800", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index e959ed69145..598cd963c84 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2019-10-10T10:21:36.000-02:00", "cisco.asa.mapped_source_ip": "10.0.55.66", "cisco.asa.message_id": "302021", "destination.domain": "target.destination.hostname.local", @@ -48,7 +47,6 @@ ] }, { - "@timestamp": "2011-06-04T21:59:52.000-02:00", "cisco.asa.icmp_code": 0, "cisco.asa.icmp_type": 8, "cisco.asa.mapped_source_ip": "192.0.2.134", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 09357b0121b..2301c80480a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2019-10-04T15:27:55.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "AL-DMZ-LB-IN", @@ -53,7 +52,6 @@ ] }, { - "@timestamp": "2020-01-01T10:42:53.000-02:00", "cisco.asa.mapped_source_host": "mydomain.example.net", "cisco.asa.message_id": "302021", "destination.address": "172.24.177.29", @@ -102,7 +100,6 @@ ] }, { - "@timestamp": "2020-01-02T11:33:20.000-02:00", "cisco.asa.destination_interface": "wan", "cisco.asa.mapped_destination_host": "www.example.org", "cisco.asa.mapped_destination_port": 80, diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 65608c192ee..70dc3befff2 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2013-04-15T09:36:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", @@ -51,7 +50,6 @@ ] }, { - "@timestamp": "2013-04-15T09:36:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", @@ -102,7 +100,6 @@ ] }, { - "@timestamp": "2014-04-15T11:34:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -154,7 +151,6 @@ ] }, { - "@timestamp": "2013-04-24T16:00:28.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", @@ -210,7 +206,6 @@ ] }, { - "@timestamp": "2013-04-24T16:00:27.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", @@ -266,7 +261,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -314,7 +308,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743274", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.3.42", @@ -369,7 +362,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -417,7 +409,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743275", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.1.35", @@ -474,7 +465,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -522,7 +512,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743276", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.3.130", @@ -579,7 +568,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743275", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -633,7 +621,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "666", "cisco.asa.destination_interface": "inside", "cisco.asa.destination_username": "user2", @@ -696,7 +683,6 @@ "user.name": "user2" }, { - "@timestamp": "2011-06-04T21:59:52.000-02:00", "cisco.asa.mapped_source_ip": "192.168.132.46", "cisco.asa.message_id": "302021", "destination.address": "172.24.177.29", @@ -745,7 +731,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -793,7 +778,6 @@ ] }, { - "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743277", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "10.0.0.130", @@ -850,7 +834,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:33.000-02:00", "cisco.asa.message_id": "106007", "destination.address": "10.1.2.60", "destination.ip": "10.1.2.60", @@ -898,7 +881,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:38.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -949,7 +931,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:38.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1000,7 +981,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1051,7 +1031,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1102,7 +1081,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1153,7 +1131,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:40.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1204,7 +1181,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:41.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1255,7 +1231,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:47.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1306,7 +1281,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:48.000-02:00", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1357,7 +1331,6 @@ ] }, { - "@timestamp": "2013-04-30T09:22:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1408,7 +1381,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:02.000-02:00", "cisco.asa.message_id": "106006", "cisco.asa.source_interface": "inside", "destination.address": "10.1.2.42", @@ -1457,7 +1429,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:03.000-02:00", "cisco.asa.message_id": "106007", "destination.address": "10.1.5.60", "destination.ip": "10.1.5.60", @@ -1505,7 +1476,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:06.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1556,7 +1526,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:08.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1607,7 +1576,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:15.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1658,7 +1626,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1709,7 +1676,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1760,7 +1726,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:40.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", @@ -1811,7 +1776,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:41.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", @@ -1862,7 +1826,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:43.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1913,7 +1876,6 @@ ] }, { - "@timestamp": "2013-04-30T09:23:43.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1964,7 +1926,6 @@ ] }, { - "@timestamp": "2018-04-15T11:34:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -2016,7 +1977,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.connection_id": "447235", "cisco.asa.destination_interface": "identity", "cisco.asa.mapped_destination_ip": "10.0.13.13", @@ -2071,7 +2031,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2123,7 +2082,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2175,7 +2133,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_host": "OCSP_Server", @@ -2231,7 +2188,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_host": "OCSP_Server", @@ -2287,7 +2243,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2343,7 +2298,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.connection_id": "447234", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2399,7 +2353,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.connection_id": "447234", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2455,7 +2408,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", "destination.address": "192.168.1.34", @@ -2504,7 +2456,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", "destination.address": "192.168.1.34", @@ -2553,7 +2504,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2605,7 +2555,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_ip": "192.168.1.34", @@ -2660,7 +2609,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_ip": "192.168.1.34", @@ -2715,7 +2663,6 @@ ] }, { - "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2771,7 +2718,6 @@ ] }, { - "@timestamp": "2012-08-15T23:30:09.000-02:00", "cisco.asa.connection_id": "40", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2825,7 +2771,6 @@ ] }, { - "@timestamp": "2014-09-12T06:50:53.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -2873,7 +2818,6 @@ ] }, { - "@timestamp": "2014-09-12T06:51:01.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -2921,7 +2865,6 @@ ] }, { - "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -2969,7 +2912,6 @@ ] }, { - "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -3017,7 +2959,6 @@ ] }, { - "@timestamp": "2014-09-12T06:51:06.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -3065,7 +3006,6 @@ ] }, { - "@timestamp": "2014-09-12T06:51:17.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -3113,7 +3053,6 @@ ] }, { - "@timestamp": "2014-09-12T06:52:48.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.168.1.255", @@ -3161,7 +3100,6 @@ ] }, { - "@timestamp": "2014-09-12T06:53:00.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.168.1.255", @@ -3209,7 +3147,6 @@ ] }, { - "@timestamp": "2014-09-12T06:53:01.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "PERMIT_IN", @@ -3265,7 +3202,6 @@ ] }, { - "@timestamp": "2014-09-12T06:53:02.000-02:00", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, "cisco.asa.message_id": "313001", @@ -3314,7 +3250,6 @@ ] }, { - "@timestamp": "2015-01-14T13:16:13.000-02:00", "cisco.asa.icmp_type": 0, "cisco.asa.message_id": "313004", "cisco.asa.source_interface": "inside", @@ -3361,7 +3296,6 @@ ] }, { - "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "192.88.99.129", "cisco.asa.mapped_destination_port": 80, @@ -3424,7 +3358,6 @@ ] }, { - "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outsidet", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, @@ -3482,7 +3415,6 @@ ] }, { - "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outsidet", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, @@ -3541,7 +3473,6 @@ ] }, { - "@timestamp": "2009-11-16T14:12:35.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", @@ -3584,7 +3515,6 @@ "url.path": "/app" }, { - "@timestamp": "2009-11-16T14:12:36.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", @@ -3629,7 +3559,6 @@ "url.scheme": "http" }, { - "@timestamp": "2009-11-16T14:12:37.000-02:00", "cisco.asa.message_id": "304002", "cisco.asa.source_interface": "inside", "destination.address": "192.0.0.19", @@ -3677,7 +3606,6 @@ "url.scheme": "http" }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "27215708", "cisco.asa.destination_interface": "vlan-42", "cisco.asa.mapped_destination_ip": "81.2.69.143", @@ -3746,7 +3674,6 @@ ] }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "172.17.6.211", "destination.ip": "172.17.6.211", @@ -3796,7 +3723,6 @@ "url.scheme": "http" }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "195207391", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "89.160.20.156", @@ -3871,7 +3797,6 @@ ] }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "195207391", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "89.160.20.156", @@ -3950,7 +3875,6 @@ ] }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "LOCAL\\USER001", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -4015,7 +3939,6 @@ "user.name": "USER001" }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "LOCAL\\user@domain.tld", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -4085,7 +4008,6 @@ "user.name": "user@domain.tld" }, { - "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "AD\\USER002", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -4154,7 +4076,6 @@ "user.name": "USER002" }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "OUTSIDE", @@ -4213,7 +4134,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.icmp_code": 0, "cisco.asa.icmp_type": 134, "cisco.asa.mapped_source_ip": "fe80::2205:baff:fe9d:f637", @@ -4259,7 +4179,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "251933191", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", @@ -4314,7 +4233,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "OUTSIDE", @@ -4385,7 +4303,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261246338", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "302014", @@ -4461,7 +4378,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261311655", "cisco.asa.destination_interface": "INSIDE", "cisco.asa.mapped_destination_ip": "192.168.0.1", @@ -4537,7 +4453,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261311655", "cisco.asa.destination_interface": "INSIDE", "cisco.asa.message_id": "302016", @@ -4611,7 +4526,6 @@ ] }, { - "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261246338", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "40.0.0.1", @@ -4687,7 +4601,6 @@ ] }, { - "@timestamp": "2021-07-29T08:35:29.000-02:00", "cisco.asa.message_id": "602304", "cisco.asa.tunnel_type": "LAN-to-LAN", "destination.address": "81.2.69.1452",